Merge certificate public and private key with OpenSSL

This post isn’t about Lync Server/Skype for Business Server, but we think it will be a good reference for people that work with Lync/Skype.

When we do an offline certificate request, we will get an .REQ file that looks like this:

—–BEGIN NEW CERTIFICATE REQUEST—–
###################################
—–END NEW CERTIFICATE REQUEST—–

Then we use public or private CA to complete the request, and in return we get a .CER/.CRT file:

—–BEGIN CERTIFICATE—–
###################################
—–END CERTIFICATE—–

The private key, however, is usually stored in the device that generates the request. We can have it in cleartext and it will look like this:

—–BEGIN PRIVATE KEY—–
###################################
—–END PRIVATE KEY—–

We had this customer who sent us the .CER and .KEY. Even though we sent the normal request file created by the Lync Deployment Wizard, still the customer decided to create a new certificate and send us the private key in cleartext.
It’s really important never to store or send the private key of a certificate in cleartext.
We could send a new request, but we really needed to deploy the Edge Server with federation enabled. After some research, we found an easy way to do it using OpenSSL:

OpenSSL.org
https://www.openssl.org/

In this case, we used the OpenSSL for Windows pre-compiled version:

OpenSSL.org – Binary Distributions
https://wiki.openssl.org/index.php/Binaries

opensslmerge01

opensslmerge02

Note: Download the 32- or 64-bit to match the Windows version.

Inside the compressed file, we have this:

opensslmerge03

Extract all files to a folder (in this case, we did it to C:\OpenSSL) and copy the .CER and .KEY files to this same folder.
If we get a .P7B file with the certificate and the chain, we need to export the certificate first. In order to do this, simply open the file, right-click on the certificate and select All Tasks > Export:

opensslmerge04

When asked for Export File Format, we need to choose Base-64 encoded.509 (.CER):

opensslmerge05

Now in the Command Prompt, go to the folder, run the following command and insert a password (this will be used to import the certificate):

openssl pkcs12 -export -in lync_edge.cer -inkey lync_edge.key -out lync_edge_merged.pfx

opensslmerge06

Note: We can ignore the warning message, since we only need to merge the certificate.

Take notice that the new merged certificate was created in the folder:

opensslmerge07

We can import the certificate and finally have a certificate ready to be used by Lync Server/Skype for Business Server:

opensslmerge08