WAF SSL - Converting .pfx Certificate and Key files to Qualys WAF-compatible files

Document created by Steve McBride on May 8, 2015Last modified by Rémi Le Mer on Sep 24, 2019
Version 3Show Document
  • View in full screen mode

When deploying Qualys WAF, the Portal needs to have encryption certificates and keys in the PEM format.  However, oftentimes (particularly when using Microsoft servers), you'll see an integrated certificate and key file in a .pfx format.  This is perfectly usable, but we'll need to first separate the certificate and private key, and convert them into a Qualys Portal-compatible format.


Looking at the SSL Configuration page, we'll go top to bottom and extract the necessary files to enable encryption on your protected applications.  To do so, you'll need to ensure that you've either got openssl installed on your system or have access to a system with openssl installed.


SSL Config Screen.PNG


First, we'll extract the certificate.  This can be done with a single command:

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]


Then, you can drag the .crt file output from the above command directly into the top box, under "Certificate information."


Second, we'll need to take care of the private key.  First issue the command to separate the key:

openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]


This will pull the key out of the .pfx file, but it exports it in an encrypted format which Portal cannot read.  To be able to use this key with the Portal interface, we'll need to issue one more command:

openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]


Now, you've got the key file in a usable format.  Tick the "Yes, this private key requires passphrase" button if necessary, enter and confirm the passphrase in the text boxes, and then drag the decrypted key into the appropriate box.


Now, your certificate and key should be accepted by the Portal.  Click "Generate WAF Passphrase" below, and record the generated passphrase - you'll need it later.


Finally, to complete the SSL configuration, ssh into the WAF appliance itself, and issue the following two commands:

set waf_ssl_passphrase=<WAF Passphrase from the Portal>


You'll need to restart the WAF services, either by rebooting the WAF appliance or by making a configuration change in the Portal, and your SSL configuration is complete.