Convert a CNG or ECC Certificate to PEM Files

RabbitMQ only supports PEM File format for certificate verification. The new PEM file created below will be placed in the %HomeDirectory%\rabbitmq folder.

.pfx to .pem Conversion Example

The Examples folder contains a test localhost.pfx. This PFX is strictly for testing TLS on a single machine. You have to import in the Personal/Certificates certificate store since it is not a valid certificate issued by a CA and is not trusted. Any connections made to RabbitMQ when this certificate is used will otherwise fail.

RabbitMQ now supports CNG and/or ECC certificates, however the RabbitMQ Helper needs OpenSSL to convert these types of certificates from PFX. Or OpenSSL can be directly used to do the conversion instead.

Manual Conversion from .pfx to .pem Using OpenSSL

For manual conversions, a user can use the following commands:

openssl pkcs12 -in localhost.pfx -nocerts -out cert.key -nodes

openssl pkcs12 -in localhost.pfx -clcerts -nokeys -out cert.pem

.pfx to .pem Conversion Using RabbitMQ Helper

Now this conversion can be done with RabbitMQ Helper. You can use the Convert-CngOrEccToPem command for this conversion. It will generate below two files in the %HomeDirectory%\rabbitmq folder:

  • CngEccCert.key
  • CngEccCert.pem

OpenSSL must be installed for the conversion using the RabbitMQ Helper command. Also, the path must be set in System Environment Variables (for example, C:\Program Files\OpenSSL-Win64\bin).

The converted files will be generated in the RabbitMQ folder present inside the Default Directory (for example, C:\RabbitMq\...).

$path = "$env:programfiles\Delinea Software Ltd\RabbitMq Helper\net6.0\Examples";

$pfxCred = Get-Credential -UserName PfxUserName -Message "Enter the PFX password. Username is ignored";
#$password = ConvertTo-SecureString “PlainTextPassword” -AsPlainText -Force
#$pfxCred = New-Object System.Management.Automation.PSCredential (“Ignored”, $password)

Convert- CngOrEccToPem `
    -PfxPath "$path\localhost.pfx" `
    -PfxCredential $pfxCred `

How to Use CNG or ECC Certificates with the Helper

  1. Run Convert-CngOrEccToPem to convert your CNG or ECC PFX certificate to a CngEccCert.key and CngEccCert.pem file. Or you can manually convert using the given OpenSSL commands..
  2. Follow the Convert a CA Certificate PFX to PEM File instructions to generate your ca.pem file.
  3. Follow the relevant instructions to install RabbitMQ with TLS enabled, using the localhost certs the Examples folder.

  4. Replace the example CngEccCert.key, CngEccCert.pem, and ca.pem in C:\RabbitMq\ with your files.
  5. Restart the RabbitMQ service using the Stop-RabbitMq and Start-RabbitMq helper commands.