Extract full chain and private key from .pfx and prepare for Forcepoint SMC

Overview

This guide shows how to extract the full certificate chain and private key from an existing PKCS#12 / .pfx file using OpenSSL, convert them to DER where needed, and have PEM files ready for import into Forcepoint SMC (which requires PEM for private key and certificate).

Input: certificate.pfx (contains private key + full chain)
Output:

• key.pem – unencrypted private key in PEM
  
• cert-chain.pem – full certificate chain in PEM
  
• key.der – private key in DER (optional)
  
• cert.der – end‑entity certificate in DER (optional)
  
• chain.der – chain (intermediates + root) in DER (optional)
  

1. Extract private key from PFX

# 1.1 Extract encrypted private key from PFX
openssl pkcs12 -in certificate.pfx -nocerts -out key-encrypted.pem

# 1.2 Remove passphrase and create unencrypted private key
openssl rsa -in key-encrypted.pem -out key.pem

# (optional) Securely delete the encrypted key
shred -u key-encrypted.pem  # or use a secure delete method on your OS

Result: key.pem (PKCS#1 or PKCS#8 PRIVATE KEY in PEM).

2. Extract full certificate chain from PFX

# 2.1 Extract end‑entity (leaf) certificate only
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out cert.pem

# 2.2 Extract all CA certificates (intermediate + root)
openssl pkcs12 -in certificate.pfx -cacerts -nokeys -out ca-chain.pem

# 2.3 Build ordered full chain: leaf first, then intermediates, then root
cat cert.pem ca-chain.pem > cert-chain.pem

Result: cert-chain.pem contains the full chain suitable for most uses.

3. (Optional) Convert PEM to DER

Forcepoint SMC imports private key and certificate in PEM, but if you need DER versions for other systems you can generate them here.

3.1 Convert private key to DER

openssl pkcs8 -topk8 -inform PEM -outform DER -in key.pem -out key.der -nocrypt

3.2 Convert leaf certificate to DER

openssl x509 -in cert.pem -outform DER -out cert.der

3.3 Convert full chain to DER (per certificate)

# Split chain into individual PEM files if needed, then:
openssl x509 -in intermediate1.pem -outform DER -out intermediate1.der
openssl x509 -in intermediate2.pem -outform DER -out intermediate2.der
openssl x509 -in root.pem         -outform DER -out root.der

Note: There is no single “multi-cert” DER container; convert each certificate individually.

4. Prepare files for Forcepoint SMC import

Forcepoint SMC expects PEM for private key and certificate when you use Import Private Key / TLS Credentials.

You should have at minimum:

• key.pem – unencrypted private key (PEM)
  
• cert.pem – end‑entity certificate (PEM)
  
• ca-chain.pem or split into intermediate1.pem, intermediate2.pem, root.pem (PEM)
  
  

Optionally, you can keep cert-chain.pem (leaf + full chain) and use it where a bundle is required.

5. Import into Forcepoint SMC (TLS Credentials)

1. Open the Management Client.
   
2. Go to Configuration → Administration → Certificates → TLS Credentials.
   
3. Right‑click TLS Credentials → Import Private Key.
   
4. In the dialog:
   
   • Name: set a descriptive name (for example, fw-mgmt-tls).
     
   • Private Key: click Import and select key.pem.
     
   • Certificate: click Import and select cert.pem or cert-chain.pem.
     
   • Intermediate/CA certificates: if required, import the content of ca-chain.pem (or individual CA PEMs) in the intermediate / trusted CA sections.
     
5. Save the configuration and deploy to the relevant engines.
   
   

6. Verification commands

# Check that key and certificate match
openssl rsa  -in key.pem  -noout -modulus | openssl md5
openssl x509 -in cert.pem -noout -modulus | openssl md5

# Inspect resulting chain
openssl crl2pkcs7 -nocrl -certfile cert-chain.pem |   openssl pkcs7 -print_certs -text -noout

Matching hashes from the first two commands confirm the private key and certificate belong together.