pfxexx (What is this?)

Table of Contents

pfxexx (What is this?)

PFX exporter for OPNsense's ACME plugin's certificates. A bash script.

Background

The ACME client on OPNsense has a lot of useful utilities (such as installing certificates on Synology's DSM and automated push over SSH that though doable on other systems, each user admin has to come up with their own scheme. It's not perfect, as everything-else-OPNsense, it's poorly documented but it does the job nevertheless.

Certain servers require PFX certificates and will refuse other formats. PFX are bundle files, that usually include the whole chain of certificates (public keys) as well as the private key of the issued certificate. Since they have a private key, they also often have a password protecting them. You may skip this password but you will still have to press return/enter to accept it IF the recipient server tolerates it, most will not and they will refuse it outright.

How does it work?

The original idea for this was to add an automation per certificate so the process would focus only on that certificate, but there's no documentation about it (on OPNsense's documentation at least) so instead it works in bulk.

The ACME plugin creates a random directory under /var/etc/acme-client/certs where it puts the public keys and a matching directory on /var/etc/acme-client/keys where the private keys are stored. The randomness of this directory is in part why a targeted approach couldn't be made yet.

So instead the script will: 1. Find subdirectories of: 1.1 /var/etc/acme-client/certs where it will seek the files named: 1.1.1 cert.pem and 1.1.2 chain.pem 1.2 /var/etc/acme-client/keys where it will seek the file named: 1.2.1 private.key 2. If all files are found under the matching directory name, it will proceed to decode the common name (cn) value of the certificate 3. It will retrieve the passphrase stored in the file referenced by variable pfile, by default it's on /var/etc/acme-client/pfiles/std 4. Using the CN value, and the password from pfile; it will create a new PFX file in /var/etc/acme-client/pfx

Installation

There's nothing to install, except maybe bash since it's a bash script. The commands in the script fail if run in OPNsense's default shell.

/var/etc/acme-client is a logical location for the scripts of this kind, but much like pfSense or VyOS, OPNsense overwrites as much as it needs to during updates/upgrades except for a few safe places: /config on VyOS, /root in pfSense/OPNsense.

You don't need to transfer files to the firewall, as out sites allow hotlinking, you can just use curl to get the script if you please. Additionally, on a non-console terminal you can paste the code (shown below). OPNsense includes the edit and vi text editors. If you've never used vi/vim, stick to edit.

Assuming you'll be downloading to /var/etc/acme-client/scripts, you need to: 1. Create a save location if it doesn't already exist: 

mkdir -p ''/var/etc/acme-client/scripts''
The command above does nothing if the directory already exists.

2. Download: curl -o <destination-filename(-and-path)> <source-URL> e.g; 

curl -o /var/etc/acme-client/scripts/pfxexx https://ref.vitanetworks.link/_export/code/en/utility-scripts/pfxexx?codeblock=0

Options/Syntax

Neither of the only two options affect how the script works, they only affect the amount of stdout.

--unmute

The script normally discards all output to avoid slowing down firewalls and reduce wearing of flash storage. This option eliminates the discarding of the minimal data it would otherwise output.

--debug

This is for testing the script itself, not so much about certificates. Pretty much a useless option for most people.

Requirements

The script must be edited or at least review to verify the variables are correct at least reviewed edite hard-coded with the variab

pfxexx
  1. #!/usr/bin/env bash
  2.  
  3. printOPTIONS() {
  4.   cat << _options
  5. ┌────────────────────────────────────────────────────────────────────────────i─┐
  6. │ pfxexx — PFX Exporter for the ACME plugin on OPNsense                        │
  7. │ Copyright (C) 2025  Gustavo Domínguez                                        │
  8. │ GNU General Public License version 3
  9. ├─────────────────────────────────────────────────────────OPTIONS/REQUIREMENTS─┤
  10. │ There are no real options*, only requirements:                               │
  11. 1. The script requires bash to run. To install run: 'pkg install -y bash'.   │
  12. 2. Variables must be reviewed or changed before running the script.          │
  13. │    - Likely the most important will be the password file, the "pfile" from   │
  14. which a password will be read in order to set it on PFX exports.        │
  15. │                                                                              │
  16. *: except for --unmute and --debug, neither of which affects how the script  │
  17. │    works in terms of exporting PFXs. See more info at:                       │
  18. │    https://ref.vitanetworks.link/en/utility-scripts/pfxexx                   │
  19. ├────────────────────────────────────────────────────────────────────────────@─┤
  20. │ Gustavo Domínguez <deliver@senseivita.com>
  21. │ senseivita.com | antipostal.com | vitanetworks.link                          │
  22. └──────────────────────────────────────────────────────────────────────────────┘
  23. _options
  24. }
  25. restoreOptions(){ set +e ; set +x ; set +v;}
  26. enableDebugOptions(){ set -e ; set -x ; set -v;}
  27. trap restoreOptions ERR EXIT
  28. if [[ $1 =~ "debug" ]]; then enableDebugOptions; fi
  29.  
  30. verifiedPieces=''
  31. cbn='/var/etc/acme-client/certs'
  32. kbn='/var/etc/acme-client/keys'
  33. ebn='/var/etc/acme-client/pfx'
  34. cnlist=''
  35. pfile='/var/etc/acme-client/pfiles/std'
  36.  
  37. main() {
  38.  
  39.   checkPfxExportDir() {
  40.     if ! [[ -d "$ebn" ]]; then
  41.       mkdir -p "$ebn"
  42.     fi
  43.   }
  44.  
  45.   candidates=( "$(find "$cbn" -type d -mindepth 1 -print0 | xargs -0 basename -s "$cbn")" )
  46.   echo "${candidates[*]}"
  47.  
  48.   partsCheck() {
  49.     for i in "${candidates[@]}"; do
  50.       echo "$i"
  51.       if [[ -f "$cbn/$i/cert.pem" ]]; then
  52.         echo "$cbn/$i/cert.pem"
  53.         if [[ -f "$cbn/$i/chain.pem" ]]; then
  54.           echo "$cbn/$i/chain.pem"
  55.           if [[ -f "$kbn/$i/private.key" ]]; then
  56.             echo "$kbn/$i/private.key"
  57.             verifiedPieces+=( "$i" )
  58.           else continue; fi
  59.         else continue; fi
  60.       else continue; fi
  61.     done
  62.   }
  63.  
  64.   exportPFXs() {
  65.     for iset in "${verifiedPieces[@]}"; do
  66.       cn=$(openssl x509 -noout -subject -in "$cbn/$iset/cert.pem" | awk '{print $3}')
  67.       cnlist+=( "$cn" )
  68.       openssl pkcs12 -export -out "$ebn/$cn.pfx" -inkey "$kbn/$iset/private.key" -in "$cbn/$iset/cert.pem" -certfile "$cbn/$iset/chain.pem" -password file:"$pfile"
  69.     done
  70.   }
  71.  
  72.   printResuts() {
  73.     echo Found the following certificates:
  74.     printf '%s\n' "${cnlist[*]}"
  75.   }
  76.  
  77. if checkPfxExportDir; then
  78.   if partsCheck; then
  79.     if exportPFXs; then
  80.       echo "Finished successfully."
  81.       printResuts
  82.     else
  83.       if [[ $1 =~ "debug" ]]; then echo "Failed exportPFXs"; fi
  84.       exit
  85.     fi
  86.   else
  87.     if [[ $1 =~ "debug" ]]; then echo "Failed partsCheck"; fi
  88.     exit
  89.   fi
  90. else
  91.   if [[ $1 =~ "debug" ]]; then echo "Failed checkPfxExportDir"; fi
  92.   exit
  93. fi
  94. }
  95.  
  96. while [ "$1" != "" ]; do
  97.   case "$1" in
  98.     -h|--help|--options|help) printOPTIONS ;;
  99.     --debug|debug) shift; main debug ;;
  100.     --unmute) main ;;
  101.     *) main > /dev/null 2>&1 ;;
  102.   esac
  103.   shift
  104. done
en/utility-scripts/pfxexx.txt · Last modified: 2025/03/14 19:46