Convert .pfx to .cer - security

Is it possible to convert a .pfx (Personal Information Exchange) file to a .cer (Security Certificate) file? Unless I'm mistaken, isn't a .cer somehow embedded inside a .pfx? I'd like some way to extract it, if possible.

PFX files are PKCS#12 Personal Information Exchange Syntax Standard bundles. They can include arbitrary number of private keys with accompanying X.509 certificates and a certificate authority chain (set certificates).
If you want to extract client certificates, you can use OpenSSL's PKCS12 tool.
openssl pkcs12 -in input.pfx -out mycerts.crt -nokeys -clcerts
The command above will output certificate(s) in PEM format. The ".crt" file extension is handled by both macOS and Window.
You mention ".cer" extension in the question which is conventionally used for the DER encoded files. A binary encoding. Try the ".crt" file first and if it's not accepted, easy to convert from PEM to DER:
openssl x509 -inform pem -in mycerts.crt -outform der -out mycerts.cer

the simple way I believe is to import it then export it, using the certificate manager in Windows Management Console.

If you're working in PowerShell you can use something like the following, given a pfx file InputBundle.pfx, to produce a DER encoded (binary) certificate file OutputCert.der:
Get-PfxCertificate -FilePath InputBundle.pfx |
Export-Certificate -FilePath OutputCert.der -Type CERT
Newline added for clarity, but you can of course have this all on a single line.
If you need the certificate in ASCII/Base64 encoded PEM format, you can take extra steps to do so as documented elsewhere, such as here: https://superuser.com/questions/351548/windows-integrated-utility-to-convert-der-to-pem
If you need to export to a different format than DER encoded, you can change the -Type parameter for Export-Certificate to use the types supported by .NET, as seen in help Export-Certificate -Detailed:
-Type <CertType>
Specifies the type of output file for the certificate export as follows.
-- SST: A Microsoft serialized certificate store (.sst) file format which can contain one or more certificates. This is the default value for multiple certificates.
-- CERT: A .cer file format which contains a single DER-encoded certificate. This is the default value for one certificate.
-- P7B: A PKCS#7 file format which can contain one or more certificates.

I wanted to add a method which I think was simplest of all.
Simply right click the pfx file, click "Install" follow the wizard, and add it to a store (I added to the Personal store).
In start menu type certmgr.msc and go to CertManager program.
Find your pfx certificate (tabs at top are the various stores), click the export button and follow the wizard (there is an option to export as .CER)
Essentially it does the same thing as Andrew's answer, but it avoids using Windows Management Console (goes straight to the import/export).

Start OpenSSL from the OpenSSL\bin folder.
Open the command prompt and go to the folder that contains your .pfx file.
Run the following command to extract the private key:
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]
You will be prompted to type the import password. Type the password that you used to protect your keypair when you created the .pfx file. You will be prompted again to provide a new password to protect the .key file that you are creating. Store the password to your key file in a secure place to avoid misuse.
Run the following command to extract the certificate:
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]
openssl rsa -in [drlive.key] -out [drlive-decrypted.key]
Convert .pfx file to .pem format
There might be instances where you might have to convert the .pfx file into .pem format. Run the following command to convert it into PEM format.
openssl rsa -in [keyfile-encrypted.key] -outform PEM -out [keyfile-encrypted-pem.key]
source :https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file

Might be irrelevant to OP's Q, but I've tried all openssl statements with all the different flags, while trying to connect with PHP \SoapClient(...) and after 3 days I finally found a solution that worked for me.
GitBash
$ cd path/to/certificate/
$ openssl pkcs12 -in personal_certificate.pfx -out public_key.pem -clcerts
First you have to enter YOUR_CERT_PASSWORD once, then DIFFERENT_PASSWORD! twice. The latter will possibly be available to everyone with access to code.
PHP
$wsdlUrl = "https://example.com/service.svc?singlewsdl";
$publicKey = "rel/path/to/certificate/public_key.pem";
$password = "DIFFERENT_PASSWORD!";
$params = [
'local_cert' => $publicKey,
'passphrase' => $password,
'trace' => 1,
'exceptions' => 0
];
$soapClient = new \SoapClient($wsdlUrl, $params);
var_dump($soapClient->__getFunctions());

You can extract ca-bundle, .crt and .key from .pfx using this.
# Extracting ca-certs..."
openssl pkcs12 -in ${filename}.pfx -nodes -nokeys -cacerts -out ${filename}-ca.crt
# Extracting key file..."
openssl pkcs12 -in ${filename}.pfx -nocerts -out ${filename}.key
# Extracting crt..."
openssl pkcs12 -in ${filename}.pfx -clcerts -nokeys -out ${filename}.crt
# combine ca-certs and cert files
cat ${filename}.crt ${filename}-ca.crt > ${filename}-full.crt
# Removing passphrase from keyfile"
openssl rsa -in ${filename}.key -out ${filename}.key

openssl rsa -in f.pem -inform PEM -out f.der -outform DER

Related

How to make an dictionary attack to a .p12 with password (educative pruposes)

Which programme or command do you use to extract the public key from a p12 protected with a password? I am trying with the command hydrabut i think it only works along networks
You can use openssl to check, convert etc. a p12 file.
E.g.:
openssl pkcs12 -info -in example.p12
or
openssl pkcs12 -in example.p12 -out example.pem -nodes
etc.
You can make openssl read the password from a file or stdin. E.g.:
openssl [...] -pass stdin
See man page for openssl for more ideas.

OpenSSL: Is it possible to view the EC Named Curve without the ecparam file?

Is there an OpenSSL command to derive the Named Curved that was used in the generation of an EC Key Pair?
I generate the parameters into a PEM file here:
openssl ecparam -name secp256k1 -out secp256k1.pem
Then verify the Named Curve used by typing:
openssl ecparam -in secp256k1.pem -text -noout
But how to achieve the same when you have only the Private.pem and Public.pem and NOT the ecparam file?
openssl pkey -in user1Key.pem -text -noout worked on keys I generated with the Command-Line OpenSSL tool but not the C libraries. When I run this command against the PEM files - I generated using C - I get everything but NOT the short ecparam name. I get the Private, Public, Seed, Prime, A, B, etc.
Update:
My C code was generating an EC Pair with OpenSSL APIs where the explicit parameters for the Curve was set. When I did the same with OpenSSL's command line tool, I did not set the explicit parameter.
To get around the issue - to verify both sides were deriving the same Key - I used the following OpenSSL command line tool:
openssl ecparam -in ec_paramprime256v1.pem -genkey -noout -out appKey.pem -param_enc explicit
If this has impacted you, I suggest you investigate OpenSSL's wiki for set_asn1_flag

iOS Mobile Push Gateway setup - openssl command implementation

I would like to use the Mobile Push Gateway to send push messages when my app is in the background. I followed this tutorial and almost done it, but i can't convert the .p12 file to .pem. I could successfully export the .p12 certificate, but can't finish the next steps, maybe i missed something, but can't figure it out.
It's clear that i need to run an openssl command in the Terminal like this:
openssl pkcs12 -in <EXPORTED_CERT_NAME.p12> -out <PEM_CERT_NAME.pem> -nodes
This is my version:
openssl pkcs12 -in <cert.p12> -out <newCert.pem> -nodes
cert.p12 is the exported certificate from the keychain, newCert.pem is the new file's name. I've pasted it into the terminal and pressed enter, but nothing happens. Just getting this message cert2.pem: No such file or directory.
When i try to check the cert with this command:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert server_certificates_bundle_sandbox.pem -key server_certificates_bundle_sandbox.pem
Get this error:
Error opening client certificate private key file server_certificates_bundle_sandbox.pem
2668:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/bio/bss_file.c:356:fopen('server_certificates_bundle_sandbox.pem','r')
2668:error:20074002:BIO routines:FILE_CTRL:system lib:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/bio/bss_file.c:358:
unable to load client certificate private key file
What did i wrong? Is it something wrong in my openssl code or i need to do something different in the terminal?
Update 3
a, version
cd /tmp
openssl pkcs12 -in devKey.p12 -out newDevCert.pem -nodes
openssl pkcs12 -in devKey.p12 -out newDevCert.pem -nodes
Error opening input file devKey.p12
devKey.p12: No such file or directory
b, version
In this case I don't have chance to enter the password, because the error shows up right after the openssl command.
cd documents
openssl pkcs12 -in devKey.p12 -out samplePem.pem -nodes
Enter Import Password:
Mac verify error: invalid password?
Update 2
I tried it without the < > in the names
openssl pkcs12 -in developerTest.p12 -out newDevCert.pem -node
And it seems something happened
openssl pkcs12 -in developerTest.p12 -out newDevCert.pem -node
Usage: pkcs12 [options]
where options are
-export output PKCS12 file
-chain add certificate chain
-inkey file private key if not infile
-certfile f add all certs in f
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-name "name" use name as friendly name
-caname "nm" use nm as CA friendly name (can be used more than once).
-in infile input filename
-out outfile output filename
....
-keysig set MS key signature type
-password p set import/export password source
-passin p input file pass phrase source
-passout p output file pass phrase source
-engine e use engine e, possibly a hardware device.
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
-CSP name Microsoft CSP name
-LMK Add local machine keyset attribute to private key
But when i try to verify it still get an error:
Error opening client certificate private key file newDevCert.pem
850:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/bio/bss_file.c:356:fopen('newDevCert.pem','r')
850:error:20074002:BIO routines:FILE_CTRL:system lib:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/bio/bss_file.c:358:
unable to load client certificate private key file
Update (earlier)
I've exported a new .p12 certificate and tried it again. If i just open the terminal and run this code:
openssl pkcs12 -in <developerTest.p12> -out <newDevCert.pem> -node
Got this error
-bash: developerTest.p12: No such file or directory
I saved developerTest.p12 into my Documents folder, so when i try
cd documents
openssl pkcs12 -in <developerTest.p12> -out <newDevCert.pem> -node
I get a different error:
-bash: newDevCert.pem: No such file or directory
In this case I think the answer is a little bit closer, when I run the command inside the Documents folder it finds the exported .p12, however something is still wrong.
Is it sure that the PEM_CERT_NAME can be anything?
The /tmp version:
cd /tmp
openssl pkcs12 -in <developerTest.p12> -out <newDevCert.pem> -node
-bash: developerTest.p12: No such file or directory
-node should be -nodes (this means "no des")
Never use the greater than / less than (< or >) in a filename. The have special meaning in Unix (redirects). When used in instructions, they basically mean, "replace whats between the < and > with your own value, and omit the < and >".
For example, this should work fine:
cd /tmp
openssl pkcs12 -in developerTest.p12 -out newDevCert.pem -nodes
Let me know if the above works.

Obtaining Chrome Extension ID for development

Although similar to this SO question, I am not asking:
Under what conditions does an extension's ID change?
nor
How can I upload my zip archive to the Chrome Dashboard?
I am however asking, how I can obtain an extension's key without using the Chrome Dashboard. Therefore, I do not consider it a duplicate of this SO question.
The documentation for using Google Identity inside a Chrome extension states the need to copy an extensions's key to its manifest file.
To keep your application ID constant, you need to copy the key in the
installed manifest.json to your source manifest.
However, when navigating to the recommended directory (...Google/Chrome/Default/Extensions) I do not see the ID of my unpacked extension. I realise this is because the extension was not installed as .crx file. However, the documentation is clearly written for the purposes of development:
Copy key in the installed manifest.json to your source manifest, so
that your application ID will stay constant during development.
How can I avoid packaging my extension and reinstalling each time I make a change?
If my development extension has no installed manifest file from which I can obtain the extension's key, where can I get it from?
The easy way
The easiest way to get an extension ID is to generate the .pem file and extract the extension ID using the steps described in my other answer (read the part below the image).
The command-line way
The rest of this answer is for those who want to generate the extension ID with command-line tools only. I'm going to use OpenSSL because it is cross-platform.
First, we generate a private key. Keep this private key secret and do not lose it. Otherwise you will not be able to create a CRX file with the same extension ID. As of writing, the private keys generated by Chrome are 2048-bit RSA keys in PKCS #8 format (1024-bit until 2013). Throughout the answer, I will refer to this private key file as key.pem, because the Chrome Web Store expects that the private key is called key.pem.
Second, I show how to generate the value for the "key" field of the manifest file. This is just the public key, encoded in base64 format.
The third command in my answer shows how to calculate the extension ID given a public key (derived from a private key).
Linux / Mac
OpenSSL is installed on most Linux distros. If not, just install openssl via your favorite package manager.
# Create private key called key.pem
2>/dev/null openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -out key.pem
# Generate string to be used as "key" in manifest.json (outputs to stdout)
2>/dev/null openssl rsa -in key.pem -pubout -outform DER | openssl base64 -A
# Calculate extension ID (outputs to stdout)
2>/dev/null openssl rsa -in key.pem -pubout -outform DER | shasum -a 256 | head -c32 | tr 0-9a-f a-p
I've put 2>/dev/null at the start of each line to prevent "writing RSA key" from being output to the console.
Windows
If you don't have OpenSSL, you can get a precompiled binary from this mirror.
#echo off
:: Assuming that you have installed OpenSSL in this directory
SET PATH=%PATH%;C:\OpenSSL-Win32\bin
:: Create private key called key.pem
2>NUL openssl genrsa -out priv.tmp 2048
2>NUL openssl pkcs8 -topk8 -in priv.tmp -nocrypt -out key.pem
del priv.tmp
:: Generate string to be used as "key" in manifest.json
2>NUL openssl rsa -in key.pem -pubout -outform DER -out pub.tmp
2>NUL openssl base64 -A -in pub.tmp
del pub.tmp
:: Calculate extension ID
2>NUL openssl rsa -in key.pem -pubout -outform DER -out pub.tmp
2>NUL openssl dgst -sha256 -out checksum.tmp pub.tmp
SET /p EXTID=<checksum.tmp
SET EXTID=%EXTID:* =%
SET EXTID=%EXTID:~0,32%
SET EXTID=%EXTID:f=p%
SET EXTID=%EXTID:e=o%
SET EXTID=%EXTID:d=n%
SET EXTID=%EXTID:c=m%
SET EXTID=%EXTID:b=l%
SET EXTID=%EXTID:a=k%
SET EXTID=%EXTID:9=j%
SET EXTID=%EXTID:8=i%
SET EXTID=%EXTID:7=h%
SET EXTID=%EXTID:6=g%
SET EXTID=%EXTID:5=f%
SET EXTID=%EXTID:4=e%
SET EXTID=%EXTID:3=d%
SET EXTID=%EXTID:2=c%
SET EXTID=%EXTID:1=b%
SET EXTID=%EXTID:0=a%
echo %EXTID%
del checksum.tmp pub.tmp
#echo on
I've put 2>NUL at the start of each line with the openssl command to hide a harmless warning about a missing config file.
Examples
Here is an example of running the previous commands on Linux. The relevant output of the commands are boldfaced. The first command creates a file, so there is no visible output in the shell. Note that the output of the second and third command do not end with a line break, so there is a "$" at the end of the line (which should not be copied).
$ # Create private key called key.pem
$ 2>/dev/null openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -out key.pem
$ # Generate string to be used as "key" in manifest.json (outputs to stdout)
$ 2>/dev/null openssl rsa -in key.pem -pubout -outform DER | openssl base64 -A
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8vj7SK0NZ6ak7K6m6KEAkfGaNfKUahqFFms6W8rq+voaW7nETrpsMqNyhmBQ+ea0KkyI/S5XIrDQPqDcNpvesYlg9lsmi7CQBZjJw7zNqKkvn0oYaP4SNtWZfZopBumqFbzFi5cst2PT+XU9CBitxXNtocRtcjOsa44W1gPA5xanmtlF258N6Nann+rSOAdhIWqSo/J6fj72cxTNfmqLkwAvhdS4Zyux4F87vxp4YTSwElfYXFsHZWi7h66uuuMzqyOyJz5grhCJ24rtTshMQUCxQWyhO2XT2J1tVfUN1YVw6xdKUz3aGyKZeXCuql5klHmlqE9PTlbKj/1VMiIgCQIDAQAB$
$ # Calculate extension ID (outputs to stdout)
$ 2>/dev/null openssl rsa -in key.pem -pubout -outform DER | sha256sum | head -c32 | tr 0-9a-f a-p
mfabfdnimhipcapcioneheloaehhoggk$
$ cat key.pem # Show content of key.pem for completeness of this demo
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDy+PtIrQ1npqTs
rqbooQCR8Zo18pRqGoUWazpbyur6+hpbucROumwyo3KGYFD55rQqTIj9LlcisNA+
oNw2m96xiWD2WyaLsJAFmMnDvM2oqS+fShho/hI21Zl9mikG6aoVvMWLlyy3Y9P5
dT0IGK3Fc22hxG1yM6xrjhbWA8DnFqea2UXbnw3o1qef6tI4B2EhapKj8np+PvZz
FM1+aouTAC+F1LhnK7HgXzu/GnhhNLASV9hcWwdlaLuHrq664zOrI7InPmCuEInb
iu1OyExBQLFBbKE7ZdPYnW1V9Q3VhXDrF0pTPdobIpl5cK6qXmSUeaWoT09OVsqP
/VUyIiAJAgMBAAECggEAIztFPKmTOwdn/MXqf+rwqTjuUopFSQllaPXNdYf8AL6J
Wema9IuFquYWcjO/Ki1wzH1ik8vHaMlYuOwcYnLBnN69x5s6AKFukNEx2IclDyLR
O/jDh13oCDl600KqVk1Fk3dW8cHPAxyfnRmJ6wWhFPOC3yUbdabWhpYI66mJrDhN
ZpN04RmH7DIlhlBpvq/OMVodhRtqb4/EVJYghTxUsrsv/I+3t3zl/o/c0DiOjiVZ
pEBYzn0rrHP8BAEhJWagGNgvotHPaVKAjoYcUiOUtMM4P1Js034XKjP4MHE1pMbN
VlVnQMz3/6CXFL+wU1QqfohdChmcnc4QwM+vCFK47QKBgQD/FjHxhCJco0rNqNua
B0inGx2Jfb4b+FWwLyNobaYey11o0MjpkpAvYcfe3zW8DQtmepDxGL8CpORoWtFg
sVnmhAir0I6bxdZLMwKcp4T+kHW3n/ae3z8tPvMvclCnARGEp+ccyDH9X2iyaSd5
8DeJ6ND32+yr+vLgyyK/JW1z5wKBgQDz167cLe+xoRUqlKdJq8lzmij30lGVUT2D
5Fn+2YUKIMeVEM7PlEmu9UmpN5HMA+LSNeiMZ1uhW5YQovXlXZCWoRqieeI4LMoM
M335hsAWpS8pFRdlXMy885w5FUC5v4Ji0RUI37WON6fxNd8zFVqAMOcAANg716RI
MWfblCJOjwKBgQDV8BKBIbYEBfv10poja9p2NFqodqpcIQIU2uQScGvzxdIY14q5
wu9kndiYxpH1nuch0sf/PSbuG8do8kpKk1P37mKrXyZL5TgeJ7EYG7OCITxpfiLE
Ci6dTv98mp6kAlRj8sH1tL2gaEWR5Hl0XpDl/DpOtsefUcAj4prIv6Y1nwKBgGUk
obNSmonjdxQidQFp8DWzTCr/Yje9ava6UVoUf8qjriV2w1H3AFlCBTvbgO5O7laj
ZcJXXPqhMq3T6ospNEBGsvWR+PO0IFrPQQGvkx3Rhq5TwVCaHZKCudozppVlin/S
mhcENBq5mz/CSMK3qMJjhm3J6+dmmw4W8C10VIahAoGARf4zus0TQIxRlix1Oaaz
sM5yANLcLivoeJDVOlUFUWgeSUc6Yma8T/FYlAkEVyyK+/nCWNErTS2yOzXEff01
n8F0h1DJ4K5zxt0OhGUIUAGgR/kqpub0omqTJcJndLv2qgzofwK21Uih6yQzDeus
lJsf3m3tuax5kcmhnDojbtE=
-----END PRIVATE KEY-----
The easiest way I found to do this is by packaging the chrome extension in development mode.
To package an extension:
Bring up the Extensions management page by going to this URL:
chrome://extensions
Ensure that the "Developer mode" checkbox in the top right-hand corner is checked.
Click the Pack extension button. A dialog appears.
In the Extension root directory field, specify the path to the extension's folder—for example, ~/mytodosextension. (Ignore the other field; you don't specify a private key file the first time you package a particular extension.)
Click Package. The packager creates two files:
a .crx file, which is the actual extension that can be installed,
and a .pem file, which contains the private key.
See chrome documentation here
Unpacked Chrome extensions ID is generated based on the path of it's directory. For unpacked extension you can generate the id in following way (code in Python):
import hashlib
m = hashlib.sha256()
m.update(bytes(PATH.encode('utf-8')))
EXTID = ''.join([chr(int(i, base=16) + ord('a')) for i in m.hexdigest()][:32])
where PATH is normalized path to the extension, ie.:
PATH = os.path.dirname(os.path.realpath(__file__))

OAuth Application ID for Chrome Extension [duplicate]

Although similar to this SO question, I am not asking:
Under what conditions does an extension's ID change?
nor
How can I upload my zip archive to the Chrome Dashboard?
I am however asking, how I can obtain an extension's key without using the Chrome Dashboard. Therefore, I do not consider it a duplicate of this SO question.
The documentation for using Google Identity inside a Chrome extension states the need to copy an extensions's key to its manifest file.
To keep your application ID constant, you need to copy the key in the
installed manifest.json to your source manifest.
However, when navigating to the recommended directory (...Google/Chrome/Default/Extensions) I do not see the ID of my unpacked extension. I realise this is because the extension was not installed as .crx file. However, the documentation is clearly written for the purposes of development:
Copy key in the installed manifest.json to your source manifest, so
that your application ID will stay constant during development.
How can I avoid packaging my extension and reinstalling each time I make a change?
If my development extension has no installed manifest file from which I can obtain the extension's key, where can I get it from?
The easy way
The easiest way to get an extension ID is to generate the .pem file and extract the extension ID using the steps described in my other answer (read the part below the image).
The command-line way
The rest of this answer is for those who want to generate the extension ID with command-line tools only. I'm going to use OpenSSL because it is cross-platform.
First, we generate a private key. Keep this private key secret and do not lose it. Otherwise you will not be able to create a CRX file with the same extension ID. As of writing, the private keys generated by Chrome are 2048-bit RSA keys in PKCS #8 format (1024-bit until 2013). Throughout the answer, I will refer to this private key file as key.pem, because the Chrome Web Store expects that the private key is called key.pem.
Second, I show how to generate the value for the "key" field of the manifest file. This is just the public key, encoded in base64 format.
The third command in my answer shows how to calculate the extension ID given a public key (derived from a private key).
Linux / Mac
OpenSSL is installed on most Linux distros. If not, just install openssl via your favorite package manager.
# Create private key called key.pem
2>/dev/null openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -out key.pem
# Generate string to be used as "key" in manifest.json (outputs to stdout)
2>/dev/null openssl rsa -in key.pem -pubout -outform DER | openssl base64 -A
# Calculate extension ID (outputs to stdout)
2>/dev/null openssl rsa -in key.pem -pubout -outform DER | shasum -a 256 | head -c32 | tr 0-9a-f a-p
I've put 2>/dev/null at the start of each line to prevent "writing RSA key" from being output to the console.
Windows
If you don't have OpenSSL, you can get a precompiled binary from this mirror.
#echo off
:: Assuming that you have installed OpenSSL in this directory
SET PATH=%PATH%;C:\OpenSSL-Win32\bin
:: Create private key called key.pem
2>NUL openssl genrsa -out priv.tmp 2048
2>NUL openssl pkcs8 -topk8 -in priv.tmp -nocrypt -out key.pem
del priv.tmp
:: Generate string to be used as "key" in manifest.json
2>NUL openssl rsa -in key.pem -pubout -outform DER -out pub.tmp
2>NUL openssl base64 -A -in pub.tmp
del pub.tmp
:: Calculate extension ID
2>NUL openssl rsa -in key.pem -pubout -outform DER -out pub.tmp
2>NUL openssl dgst -sha256 -out checksum.tmp pub.tmp
SET /p EXTID=<checksum.tmp
SET EXTID=%EXTID:* =%
SET EXTID=%EXTID:~0,32%
SET EXTID=%EXTID:f=p%
SET EXTID=%EXTID:e=o%
SET EXTID=%EXTID:d=n%
SET EXTID=%EXTID:c=m%
SET EXTID=%EXTID:b=l%
SET EXTID=%EXTID:a=k%
SET EXTID=%EXTID:9=j%
SET EXTID=%EXTID:8=i%
SET EXTID=%EXTID:7=h%
SET EXTID=%EXTID:6=g%
SET EXTID=%EXTID:5=f%
SET EXTID=%EXTID:4=e%
SET EXTID=%EXTID:3=d%
SET EXTID=%EXTID:2=c%
SET EXTID=%EXTID:1=b%
SET EXTID=%EXTID:0=a%
echo %EXTID%
del checksum.tmp pub.tmp
#echo on
I've put 2>NUL at the start of each line with the openssl command to hide a harmless warning about a missing config file.
Examples
Here is an example of running the previous commands on Linux. The relevant output of the commands are boldfaced. The first command creates a file, so there is no visible output in the shell. Note that the output of the second and third command do not end with a line break, so there is a "$" at the end of the line (which should not be copied).
$ # Create private key called key.pem
$ 2>/dev/null openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -out key.pem
$ # Generate string to be used as "key" in manifest.json (outputs to stdout)
$ 2>/dev/null openssl rsa -in key.pem -pubout -outform DER | openssl base64 -A
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8vj7SK0NZ6ak7K6m6KEAkfGaNfKUahqFFms6W8rq+voaW7nETrpsMqNyhmBQ+ea0KkyI/S5XIrDQPqDcNpvesYlg9lsmi7CQBZjJw7zNqKkvn0oYaP4SNtWZfZopBumqFbzFi5cst2PT+XU9CBitxXNtocRtcjOsa44W1gPA5xanmtlF258N6Nann+rSOAdhIWqSo/J6fj72cxTNfmqLkwAvhdS4Zyux4F87vxp4YTSwElfYXFsHZWi7h66uuuMzqyOyJz5grhCJ24rtTshMQUCxQWyhO2XT2J1tVfUN1YVw6xdKUz3aGyKZeXCuql5klHmlqE9PTlbKj/1VMiIgCQIDAQAB$
$ # Calculate extension ID (outputs to stdout)
$ 2>/dev/null openssl rsa -in key.pem -pubout -outform DER | sha256sum | head -c32 | tr 0-9a-f a-p
mfabfdnimhipcapcioneheloaehhoggk$
$ cat key.pem # Show content of key.pem for completeness of this demo
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDy+PtIrQ1npqTs
rqbooQCR8Zo18pRqGoUWazpbyur6+hpbucROumwyo3KGYFD55rQqTIj9LlcisNA+
oNw2m96xiWD2WyaLsJAFmMnDvM2oqS+fShho/hI21Zl9mikG6aoVvMWLlyy3Y9P5
dT0IGK3Fc22hxG1yM6xrjhbWA8DnFqea2UXbnw3o1qef6tI4B2EhapKj8np+PvZz
FM1+aouTAC+F1LhnK7HgXzu/GnhhNLASV9hcWwdlaLuHrq664zOrI7InPmCuEInb
iu1OyExBQLFBbKE7ZdPYnW1V9Q3VhXDrF0pTPdobIpl5cK6qXmSUeaWoT09OVsqP
/VUyIiAJAgMBAAECggEAIztFPKmTOwdn/MXqf+rwqTjuUopFSQllaPXNdYf8AL6J
Wema9IuFquYWcjO/Ki1wzH1ik8vHaMlYuOwcYnLBnN69x5s6AKFukNEx2IclDyLR
O/jDh13oCDl600KqVk1Fk3dW8cHPAxyfnRmJ6wWhFPOC3yUbdabWhpYI66mJrDhN
ZpN04RmH7DIlhlBpvq/OMVodhRtqb4/EVJYghTxUsrsv/I+3t3zl/o/c0DiOjiVZ
pEBYzn0rrHP8BAEhJWagGNgvotHPaVKAjoYcUiOUtMM4P1Js034XKjP4MHE1pMbN
VlVnQMz3/6CXFL+wU1QqfohdChmcnc4QwM+vCFK47QKBgQD/FjHxhCJco0rNqNua
B0inGx2Jfb4b+FWwLyNobaYey11o0MjpkpAvYcfe3zW8DQtmepDxGL8CpORoWtFg
sVnmhAir0I6bxdZLMwKcp4T+kHW3n/ae3z8tPvMvclCnARGEp+ccyDH9X2iyaSd5
8DeJ6ND32+yr+vLgyyK/JW1z5wKBgQDz167cLe+xoRUqlKdJq8lzmij30lGVUT2D
5Fn+2YUKIMeVEM7PlEmu9UmpN5HMA+LSNeiMZ1uhW5YQovXlXZCWoRqieeI4LMoM
M335hsAWpS8pFRdlXMy885w5FUC5v4Ji0RUI37WON6fxNd8zFVqAMOcAANg716RI
MWfblCJOjwKBgQDV8BKBIbYEBfv10poja9p2NFqodqpcIQIU2uQScGvzxdIY14q5
wu9kndiYxpH1nuch0sf/PSbuG8do8kpKk1P37mKrXyZL5TgeJ7EYG7OCITxpfiLE
Ci6dTv98mp6kAlRj8sH1tL2gaEWR5Hl0XpDl/DpOtsefUcAj4prIv6Y1nwKBgGUk
obNSmonjdxQidQFp8DWzTCr/Yje9ava6UVoUf8qjriV2w1H3AFlCBTvbgO5O7laj
ZcJXXPqhMq3T6ospNEBGsvWR+PO0IFrPQQGvkx3Rhq5TwVCaHZKCudozppVlin/S
mhcENBq5mz/CSMK3qMJjhm3J6+dmmw4W8C10VIahAoGARf4zus0TQIxRlix1Oaaz
sM5yANLcLivoeJDVOlUFUWgeSUc6Yma8T/FYlAkEVyyK+/nCWNErTS2yOzXEff01
n8F0h1DJ4K5zxt0OhGUIUAGgR/kqpub0omqTJcJndLv2qgzofwK21Uih6yQzDeus
lJsf3m3tuax5kcmhnDojbtE=
-----END PRIVATE KEY-----
The easiest way I found to do this is by packaging the chrome extension in development mode.
To package an extension:
Bring up the Extensions management page by going to this URL:
chrome://extensions
Ensure that the "Developer mode" checkbox in the top right-hand corner is checked.
Click the Pack extension button. A dialog appears.
In the Extension root directory field, specify the path to the extension's folder—for example, ~/mytodosextension. (Ignore the other field; you don't specify a private key file the first time you package a particular extension.)
Click Package. The packager creates two files:
a .crx file, which is the actual extension that can be installed,
and a .pem file, which contains the private key.
See chrome documentation here
Unpacked Chrome extensions ID is generated based on the path of it's directory. For unpacked extension you can generate the id in following way (code in Python):
import hashlib
m = hashlib.sha256()
m.update(bytes(PATH.encode('utf-8')))
EXTID = ''.join([chr(int(i, base=16) + ord('a')) for i in m.hexdigest()][:32])
where PATH is normalized path to the extension, ie.:
PATH = os.path.dirname(os.path.realpath(__file__))

Resources