We Keep Coding

Generate OpenSSL CRL file without a configuration file

I have a basic nginx home server setup which i use Client certificates to allow outside access. I have followed this guide to get everything setup which works as expected:
https://gist.github.com/rkaramandi/20a04a41536f3d7e6d2f26b0b9605ab6
in summary:
openssl genrsa -aes256 -out ca.privkey 4096
openssl req -new -x509 -days 365 -key ca.privkey -out ca.crt
openssl genrsa -aes256 -out bobs-ipad.privkey 4096
openssl req -new -out bobs-ipad.csr -key bobs-ipad.privkey
openssl x509 -req -days 365 -in bobs-ipad.csr -CA ca.crt -CAkey ca.privkey -set_serial 100 -out bobs-ipad.crt
openssl pkcs12 -export -clcerts -in bobs-ipad.crt -inkey bobs-ipad.privkey -out bobs-ipad.p12
Also openssl pkcs12 -in bobs-ipad.p12 -out bobs-ipad.pem -nodes to generate a pem file as well.
And in nginx config:
ssl_client_certificate <path>/ca.crt;
# ssl_crl <path>/ca.crl;
ssl_verify_client optional;
...
location / {
if ($ssl_client_verify != SUCCESS) {
return 403;
}
I am able to access the server from outside and only signed certificates on the client machine allow access.
However if one of the signed certificates were to be compromised i'd have to re-generate the CA and re-distribute the new signed client certificates. I understand that a CRL file can be used to revoke certificates using ssl_crl <path to crl>; in the nginx config but i am not sure to generate this using the guide i followed.
A command like this can be used openssl ca -gencrl -keyfile ca.privkey -cert ca.crt -out ca.crl
But this relies on a configuration file with an index of the certificates i believe?
Is there anyway of using a command like the above to input a (or list of) pem or p12 client certificate(s) -in bobs-ipad.pem that i want to revoke?
If not perhaps i need to start again and have a config with index file to then -revoke the certificates and re-generate the crl file.
Thanks in advance,
Richard

It doesn't seem like this is possible. I have found some other guides to get this working with a configuration file (and generating a new CA): https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/
https://www.djouxtech.net/posts/nginx-client-certificate-authentication/

Sign a User certificate with CA.key :openssl

I've a user certificate (certname.pem) and user key (keyname.pem) which I've generated using the command below.
openssl req -newkey rsa:2048 -nodes -keyout keyname.pem -x509 -days 365 -out certname.pem
Also I've generated a CA key (ca.key.pem) and CA root certificate (ca.root.pem) using the command below.
openssl req -x509 -days 557 -newkey rsa:1024 -out ca.root.pem -keyout ca.key.pem
Now I want to sign the user certificate (certname.pem) with the CA key (ca.key.pem) but I am unable to do so using the command below.
openssl ca -create_serial -config openssl.cnf -cert ca.root.pem -keyfile ca.key.pem -in certname.pem -out new-certname.pem
as this command gives error:
Error reading certificate request in certname.pem
139992806578040:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:708:Expecting: CERTIFICATE REQUEST
Where as the contents of my certname.pem are as follows:
-----BEGIN CERTIFICATE-----
MIIDozCCAougAwIBAgIJALv1sRsVLIRgMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
BAYTAmluMQ0wCwYDVQQIDARhc2RmMQ0wCwYDVQQHDARhc2RmMQwwCgYDVQQKDANs
a2oxDDAKBgNVBAsMA2xrajEMMAoGA1UEAwwDbGtqMREwDwYJKoZIhvcNAQkBFgJs
ajAeFw0xODA3MDcxNDU1MzNaFw0xOTA3MDcxNDU1MzNaMGgxCzAJBgNVBAYTAmlu
MQ0wCwYDVQQIDARhc2RmMQ0wCwYDVQQHDARhc2RmMQwwCgYDVQQKDANsa2oxDDAK
BgNVBAsMA2xrajEMMAoGA1UEAwwDbGtqMREwDwYJKoZIhvcNAQkBFgJsajCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJxh0L94MzQgjTodq4/Eha4HmX4c
PPsb7H5cUzk1b4N9tfGPoINZ68CY+HqTwXtBTtiwIvkvP/nKD5cp9PhpDB/AI4Zx
c83J72iBpMefn1KgWAUMBNnxnYkezK7SY3osotakBXAT+4tJI1BXL/TAV74VKe9a
7rXSEqCTxcj/H0kbW+2WR/N5yDXjJk68k1A4oQ4wSLiejC9ycqHkZluKZjJl8XNh
9QnEsTtZRiX59FbRa64A16Alv7tBSSTxyCFfQqPxSpgiORoU1vRQqWxD7IV5WXl7
fQLaxR07nmJKxYSK7fGRdcXLQBmkWA0V0pA3qreDAznSfElk3GNhtx0Erk0CAwEA
AaNQME4wHQYDVR0OBBYEFGDedvJ2pbkR2wFsu60fjDPocMFsMB8GA1UdIwQYMBaA
FGDedvJ2pbkR2wFsu60fjDPocMFsMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAIIVz6Aiu1VwM71ecL7aNgyEuctAtfkiDfopKANtBA5yzLQZYlALSkjz
SIUD/vRkiT4C8ZOdfoWJkHxpk93uYH6xjDL8vsqthAA34FvDBMoecrOVNzJq5uBt
aJC4klj57uf1mPzW71yycS9IKFFGardqijjlHUyhgJVBs8kZbABT7ZedYA5UYdv+
SUNnzOU2Sm/ktPF5vWp8y4WjgujYnZQqj7pI4ucwYxb8WRW2EeeGpkbA6DuU7Tnv
frliIESdu9/UCQm7A5zxW47MKTBrVDfoRsbrbjFo9PiGCxG/7bglykFHovWVN2ez
uqLIdDOC2lNFBOJLPhf5w9s3fEGl8m8=
-----END CERTIFICATE-----
How to sign this certificate with the ca.key.pem?
Please help.
Reference for generating certificates - https://www.ibm.com/support/knowledgecenter/en/SSWHYP_4.0.0/com.ibm.apimgmt.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html

Question originally answered by - https://stackoverflow.com/users/99027/john-deters
on https://security.stackexchange.com/questions/189148/sign-a-user-certificate-with-ca-key-openssl
You included -out certname.pem on your original request, which in this case instructed openssl to generate a self-signed root CA certificate named certname.pem. It is a certificate, but probably not the kind you want here.
I assume you instead want to use your newly minted CA to sign your public key and create a server certificate. You'll need to first generate a Certificate Signing Request (CSR) from your new key (the one in keyname.pem):
openssl req -out keyname.csr -key keyname.pem -new -days 365
You can then pass this CSR to request a certificate:
openssl ca -create_serial -config openssl.cnf -cert ca.root.pem -keyfile ca.key.pem -in keyname.csr -out new-certname.pem

Your issue is - CA signs a CSR (certificate signing request) and as a result is a completely new certificate issued by the CA
I have some examples ready for myself https://pastebin.com/m9rzFJ9c
#create certificate signing request
openssl req -new -key ./sslCA/private/myserver.key -out ./sslCA/private/cakey.csr
#sign the signing request
openssl x509 -req -days 365 -in ./sslCA/private/cakey.csr -signkey ./sslCA/private/myserver.key -out
./sslCA/private/cacert.pem

XAMPP SSL Certificate better hash security

I was wondering if there's a way to generate a new SSL certificate for XAMPP. I get a lot of SHA-1 warnings in the firebug console and I think it's because of using SSL which has sha1 as algorithm.
However, I can't seem to find how to generate a new certificate with a better hash. If I'm saying things that makes no sense, please don't hate on me as I've never worked with SSL certificates before.
Also, I cannot suppress the warnings as I use firebug and the warnings just makes my POST files harder to find.

I followed the instructions there to generate a new, self-signed certificate for 127.0.0.1 and localhost: https://notepad.patheticcockroach.com/3054/how-to-create-and-install-an-apache-ssl-certificate-either-self-signed-or-not/
I just needed to add "-sha256" as an argument when generating the CSR and signing, so basically:
openssl genrsa -des3 -out server.key 3072
openssl req -new -sha256 -key server.key -out server.csr
openssl x509 -req -sha256 -days 11000 -in server.csr -signkey server.key -out server.crt
Then use those files to replace the files with same names located in apache\conf\ssl.crt, apache\conf\ssl.csr and apache\conf\ssl.key
Or you can just use my files:
This is server.crt:
-----BEGIN CERTIFICATE-----
MIIEajCCAtICCQCxKs9wwojDyDANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJG
UjEOMAwGA1UECAwFUGFyaXMxHjAcBgNVBAoMFVBhdGhldGljQ29ja3JvYWNoLmNv
bTEaMBgGA1UECwwRRGF2aWQgRGVybm9uY291cnQxHDAaBgNVBAMMEzEyNy4wLjAu
MSxsb2NhbGhvc3QwHhcNMTUxMjEwMTQ1MTQxWhcNNDYwMTIxMTQ1MTQxWjB3MQsw
CQYDVQQGEwJGUjEOMAwGA1UECAwFUGFyaXMxHjAcBgNVBAoMFVBhdGhldGljQ29j
a3JvYWNoLmNvbTEaMBgGA1UECwwRRGF2aWQgRGVybm9uY291cnQxHDAaBgNVBAMM
EzEyNy4wLjAuMSxsb2NhbGhvc3QwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGK
AoIBgQDC3vBoD6QyB6mhZ2AgzPHGAMCq0RA3InzEPLBIvagT0IMuuyqlbZAZd1Wj
7lSD6G4q5Kx0rhLu1gYm3I19HWi8HdR01Nb3lJJ3yWlw4z0uPl8QRupsW4n3dG8E
Mhr65ySmA/iQRKOi8xBa/aKwcoN0vb7U873UIpaTDKFz3k0kdVIXX66TfSAonnqg
Y/f3qsQ87gfxcveQjpNdVTcnwSm5C/DCG9CFjGdTH/y6i4nQQKYoN2R9ewxWVL8J
c40WlJSAVexiM92s70vi/h0Ofz2dyLw3pNq6KbYgTGqSuWFa2Nu2uUJz2JQJQXZG
N1mSUYaPcztInjd/gJ0fQMgG0aVhIKrcztVI4vO0U6U6oMeRKF3ksZHXhKuxhvxy
vqn6WpCmANOrygyxvYCxhgRftOMPCxznw63oNONVTvGUWipNunAX05tB2hPkSdz3
gaoSsuFemv2j44g6p2o9uml31EPfI+oZ3FCPR6litaNaEKuag09WZo/dGUBiQI3l
zi/Cr0kCAwEAATANBgkqhkiG9w0BAQsFAAOCAYEABdQYNXZej262F9HpN8M1QIbG
k1RrVB+W+Sak3jVp+BAdXOBq37yRaMlT9S9Lgm6suHWAVCfkyVUgvr9TZL45SrRQ
DdAf1ebj7A8HQY3E+dD1auvUHbPLhyA+wIoyX4dtkUszuo5I4mK9IjTImscUWM2H
cOBXzqnjYnhDmyxkHsQgowwcBS5lgoek9wr+x/eehSQZyGJNhqR1daUSZaGIfVEa
SxZYhUOq667M5wWE1Bcciuri+omFqlhkiN73n+U1Zho0vpvErmkuSJl+UQX2Co60
NpJEM7sDdDhJ+nJSk6gNaLFYtjZrGeJlzA1zDX8c6sZ0nh0oiCAtOgvPUs/d3zCe
XB1LLsINBTc5Pv81W36GWACeafX8teLi/qRru0NrDJWfU7E1RO3PdnNVhezGgAWS
e5MxSk+533JzsiqpzouaeESZujEaEUMh/mcbVy8J5L7VVryN3SuTNJ+mb05QuYQA
9EZB6e0l9t/coPz3kEWrp7yh/uKznDWG23Ewgyvu
-----END CERTIFICATE-----
This is server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIDvDCCAiQCAQAwdzELMAkGA1UEBhMCRlIxDjAMBgNVBAgMBVBhcmlzMR4wHAYD
VQQKDBVQYXRoZXRpY0NvY2tyb2FjaC5jb20xGjAYBgNVBAsMEURhdmlkIERlcm5v
bmNvdXJ0MRwwGgYDVQQDDBMxMjcuMC4wLjEsbG9jYWxob3N0MIIBojANBgkqhkiG
9w0BAQEFAAOCAY8AMIIBigKCAYEAwt7waA+kMgepoWdgIMzxxgDAqtEQNyJ8xDyw
SL2oE9CDLrsqpW2QGXdVo+5Ug+huKuSsdK4S7tYGJtyNfR1ovB3UdNTW95SSd8lp
cOM9Lj5fEEbqbFuJ93RvBDIa+uckpgP4kESjovMQWv2isHKDdL2+1PO91CKWkwyh
c95NJHVSF1+uk30gKJ56oGP396rEPO4H8XL3kI6TXVU3J8EpuQvwwhvQhYxnUx/8
uouJ0ECmKDdkfXsMVlS/CXONFpSUgFXsYjPdrO9L4v4dDn89nci8N6Tauim2IExq
krlhWtjbtrlCc9iUCUF2RjdZklGGj3M7SJ43f4CdH0DIBtGlYSCq3M7VSOLztFOl
OqDHkShd5LGR14SrsYb8cr6p+lqQpgDTq8oMsb2AsYYEX7TjDwsc58Ot6DTjVU7x
lFoqTbpwF9ObQdoT5Enc94GqErLhXpr9o+OIOqdqPbppd9RD3yPqGdxQj0epYrWj
WhCrmoNPVmaP3RlAYkCN5c4vwq9JAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAYEA
iCODnzxwUvaOfHtfsF0kEUvrUaw3LAcOAAysdZYgU4d5NhxI1gjtL4L9dHQcO1H2
fShT9Ib17UFQP4U1R6qxEK7w9/6C217PK0olVpS1d31LwjAzA/h3lPXgM10L575w
7tsmR7knHSEkURhI1yN2N273P+1P14D6LN5qNk+8rBtrNUBX6njzOuloJm+TT+bn
142KenZ2DIoPRHUjZgQ7rfwcP3wtRRseFUbeLbCXd0W1DOrgoA4Be47PiO+KDhSe
7muMN7CN/2iF//Qe2sS5gJRjOkJFZL1k+0/fNVckeRaEuzlF6XFN9PCGlBRKnT4Y
K6s/P2hSsyTaQ47wdQZVs65wSdHRg4nA5a/FriyObywg/y0YB6q83PDYXQgmTqJX
mwA56E23RB94BIWYVCJLBTpN2qXRAck52bLY9xs5e6Os64S8ui0S0gNK3D4ThTZ3
T2j1O7g8xyRhs9bULEOaIU2qL97UiO7Cn68rC7z5Sl8bsnxC4iK56r0LbvHtiVbR
-----END CERTIFICATE REQUEST-----
And this is server.key:
-----BEGIN RSA PRIVATE KEY-----
MIIG4wIBAAKCAYEAwt7waA+kMgepoWdgIMzxxgDAqtEQNyJ8xDywSL2oE9CDLrsq
pW2QGXdVo+5Ug+huKuSsdK4S7tYGJtyNfR1ovB3UdNTW95SSd8lpcOM9Lj5fEEbq
bFuJ93RvBDIa+uckpgP4kESjovMQWv2isHKDdL2+1PO91CKWkwyhc95NJHVSF1+u
k30gKJ56oGP396rEPO4H8XL3kI6TXVU3J8EpuQvwwhvQhYxnUx/8uouJ0ECmKDdk
fXsMVlS/CXONFpSUgFXsYjPdrO9L4v4dDn89nci8N6Tauim2IExqkrlhWtjbtrlC
c9iUCUF2RjdZklGGj3M7SJ43f4CdH0DIBtGlYSCq3M7VSOLztFOlOqDHkShd5LGR
14SrsYb8cr6p+lqQpgDTq8oMsb2AsYYEX7TjDwsc58Ot6DTjVU7xlFoqTbpwF9Ob
QdoT5Enc94GqErLhXpr9o+OIOqdqPbppd9RD3yPqGdxQj0epYrWjWhCrmoNPVmaP
3RlAYkCN5c4vwq9JAgMBAAECggGADux55s5D2d0CXa0IDJsFbQ+DsdE+96n5eiHX
skpsA9B1K3AEDRU98uVTtrE64bs8LKbEmk72fjn/0JwVbd6Btd5m9eeS6vUC3o+b
Np0Ag3kdWKbFrzS3dS8CjYS00kA/a0Nkls/a5FDPENjZy7+JV7hsU+yyvftEItDV
0ITWzZL6jXWzbfIoM1Qnuf7N77axPqVQEGqokPaKTJyJE89UPaqvbn4o0wF0rEYH
2dVz4XICB5RuarmwsS/eTX/+7xrDvj1nggPX4CCVU8hEu0N8ZY1YkSej4cqDX3Kb
xj+ayezrp9JuOjiL1PYSGemaCWfyNqIvZuLKJ6izZQrXKrzBdNVFaQt3cg003i1Y
4O+XeKEyCfCHMZCLZzI1mwh8b9HiggrQ6/DNAfvOct1gZF+KMd+0K7kh5ros2ivQ
Un838zg/tNeTUrmfKpG67siiucgnAsXcp7FUJ0+rYYuU1cQS2ZFSCjQqKX0vD3nV
8vUU3LwSU4cnHj/GLCT1Z3uSfzatAoHBAPpWI+tBeH/l8rdSEWe38GOBvchSGD+A
u6mkBwrg6wu3Xd1/jLc5aVTDkqUiLtda9eNJaljPUjOCqYTX0p8Vkvbc0Y6t2nXS
QrpRtPo03XY3lJPjqkxsG5TVeVVh7Qn13pJCoMYJKw9ihNmt5vQS1nLKWEYksBmT
e+oCtKNa9nidGuk/L+7q7Ju7Z95jpEMg9i5dbp1MOC+IjAOZWQWzVUlQ2WsX7+fn
l8I3hkiXR2OdsC2CYttL2KZ2lVv2liLHuwKBwQDHR4/Gf6MMRGPqDDeKaHKP7gh1
IJ5lUb/cAgvbuzvUOIRJ17l6YFMTeGCYYDMYTimCKjjvSdGI2YfKCascWfooOdbX
PV1+t/7k+2gnGTZzP8/WaV1P1xKZX0zh/IQ0XkCKhRLgxNzMszPQTeAFkrfrREkF
htVq28bIc74fywAXASFN1QkfKm2cd4ewbHG39dmydzmP5oh5gcjlQb1j2gCBuCdn
mmF80YeSECxuggVNI5dTQMUjUaSJfXwPlOKTCssCgcEAt4F3mReIJnFAp+NQAPDU
FY1gujx7q+lJJ4Sm6PGROyhydVDvrMw4CzvF/qj9Hz59atxBSdLIFhxc+ZVfvuAI
uE+MigOlVaMI6R3GBXfFM8hwcKx+BMFmwoZuCAndweRrAFo5EpJb704vxoX0+8vn
SYRMizaPpF/5gMP0+J5QeH/p3ztDfubVBR+ud1Yhblf2PmydDk92DFoTEPxTRpt8
FF9g0WFdqmiZVXRwSjwix8IrCGFA6DJEIVpiCGTND7fLAoHAYmBYgNSHyEmGzYbk
cEZpr9YBhNjqePgnb9PuyLWgrn6MB+wgG2KsAGOfw/lRoAEOCr0PSEm30AgbOckW
GLPug6cyASXBHwp0IdResVaIA9MPpjhzoTN6cg6S5MkE9tlEoV1aWW211rPsszuO
iRHKC7G1Hq5Wcx81/cTtqcJMNA8RwtuVWjZW0DRN3vFaHkeXBbxHxVs4KkvAwjR2
63E2aNNhWIrk73p8o8WqOY+kUFVuoeHKsEngoSM6eHK2e4KLAoHANDIZ3dfse/8H
dyc++VUn5k3UDhgbnsGWBpdkQqmYA93MkM9U9d1w5fczjBXnaxOH7XgSjVNVK17n
6nx7BE8bT0Cmx+Ycc8EYTwOS3YJ5mBzrXqAv9PifufghygKA+rMnldIodPaMxWAh
47KEOgkQ8SaFgGq7wexpo57H7gwGXi8GK7MHk4WOJWvleuX9U0R6lM53tiyYb1br
K32nifvZOTOlVOKgWqO/nAu9kDKBh0gnP7nBEWYCfcTKetxllPD9
-----END RSA PRIVATE KEY-----

I'd like to create SSL sertificates for my test environment

Does anyone have a handy script to generate SSL certificates such that it generates the CA certificate and the server certificate. More importantly, create it in a way that I can import the CA certificate into my trusted root list (of my windows system) so that the browser does not flag the site as untrusted.
I used the following script to do it but I am not able to persuade my browser to trust the certificate.
I'd greatly appreciate any help here.
# Generate a private key
openssl genrsa -des3 -out server.key 1024
# Generate a CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr
# Remove Passphrase from Key
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
# Generating a Self-Signed Certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Regards,
Kashyap

Your script is only generating one certificate, a self-signed certificate. Usually, the self-signed certificate is called the Root certificate. This can be used as a CA certificate, but often an intermediate CA certificate is created and signed by the Root private key. This intermediate CA certificate is then used to sign Server certificates. So you have this hierarchy:
Root -> CA -> Server
The CA and Root cert can go into the trusted certificate list. Then a browser that trusts that list will also trust any certificate signed by the CA or Root entities.
You don't have to have this hierarchy...you can use the Root certificate as the CA and skip the middle cert. You can also just use 1 self-signed certificate as the Root/Server certificate. See this article (Trusting self-signed certificates).
But assuming you do have this hierarchy, here are some OpenSSL commands to generate the necessary keys and certificates:
# 1. Create Root private key
openssl genrsa -out root.key 2048
# 2. Create self-signed Root certificate
openssl req -new -key root.key -x509 -out root.crt -days 5000 -sha256
# 3. Create CA private key
openssl genrsa -out ca.key 2048
# 4. Create CA CSR
openssl req -new -key ca.key -out ca.csr -days 5000
# 5. Sign and create CA certificate
openssl x509 -req -in ca.csr -CA root.crt -CAkey root.key -out ca.crt -set_serial 2 -days 5000 -sha256
# 6. Create Server private key
openssl genrsa -out server.key 2048
# 7. Create Server CSR
openssl req -new -key server.key -out server.csr -days 5000
# 8. Sign and create Server certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -out server.crt -set_serial 3 -days 5000 -sha256
Change the key bits, # of valid days, serial numbers, and add V3 extensions as you see fit.
Also remember that different browsers have different lists that they trust. Chrome and IE use the Windows default list. Firefox has its own list.

Do you have a trusted CA certificate?
You are generating a self-signed certificate which is always considered as untrusted by browsers.

How can I convert a PFX certificate file for use with Apache on a linux server?

How can I convert a PFX certificate file for use with Apache on a linux server?
I created the PFX from Windows Certificate Services. The PFX contains the entire certificate chain. (Which is just a root and the main cert, no intermediate.)
Lead me, wise ones.

With OpenSSL you can convert pfx to Apache compatible format with next commands:
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain.key
First command extracts public key to domain.cer.
Second command extracts private key to domain.key.
Update your Apache configuration file with:
<VirtualHost 192.168.0.1:443>
...
SSLEngine on
SSLCertificateFile /path/to/domain.cer
SSLCertificateKeyFile /path/to/domain.key
...
</VirtualHost>

Additionally to
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain.key
I also generated Certificate Authority (CA) certificate:
openssl pkcs12 -in domain.pfx -out domain-ca.crt -nodes -nokeys -cacerts
And included it in Apache config file:
<VirtualHost 192.168.0.1:443>
...
SSLEngine on
SSLCertificateFile /path/to/domain.cer
SSLCertificateKeyFile /path/to/domain.key
SSLCACertificateFile /path/to/domain-ca.crt
...
</VirtualHost>

To get it to work with Apache, we needed one extra step.
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain_encrypted.key
openssl rsa -in domain_encrypted.key -out domain.key
The final command decrypts the key for use with Apache. The domain.key file should look like this:
-----BEGIN RSA PRIVATE KEY-----
MjQxODIwNTFaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3
LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp
YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG
A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq
-----END RSA PRIVATE KEY-----

Took some tooling around but this is what I ended up with.
Generated and installed a certificate on IIS7.
Exported as PFX from IIS
Convert to pkcs12
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
NOTE: While converting PFX to PEM format, openssl will put all the Certificates and Private Key into a single file. You will need to open the file in Text editor and copy each Certificate & Private key(including the BEGIN/END statements) to its own individual text file and save them as certificate.cer, CAcert.cer, privateKey.key respectively.
-----BEGIN PRIVATE KEY-----
Saved as certificate.key
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
Saved as certificate.crt
-----END CERTIFICATE-----
Added to apache vhost w/ Webmin.

SSLSHopper has some pretty thorough articles about moving between different servers.
http://www.sslshopper.com/how-to-move-or-copy-an-ssl-certificate-from-one-server-to-another.html
Just pick the relevant link at bottom of this page.
Note: they have an online converter which gives them access to your private key. They can probably be trusted but it would be better to use the OPENSSL command (also shown on this site) to keep the private key private on your own machine.