PFX Certificate Support

I am trying to protect PowerSchool SIS via SAML and according to their documentation, they require a .PFX certificate to be uploaded. Are there any plans to support downloading the certificate from the protected applications in .PFX format in Duo?

Hi @Jderoy, Welcome to the Duo Community! Thanks for sharing your question here. There are no plans at this time to support PFX certificates. There is an open feature request for this functionality, however, that is under consideration. You can add your name to the feature request by contacting Duo Support, or your Customer Success Manager or Account Executive if you are a Duo Care customer.

In the meantime, if you do export a new or existing PFX certificate from IIS, it may be possible to convert it into a PEM file for use in the Duo Authentication Proxy. Follow the steps below when you are at the stage of exporting:

  1. Export the cert as a PFX
  2. Go to SSL Converter - Convert SSL Certificates to different formats and convert it from PFX/PKCS#12 to Standard PEM.
    • If you don’t want to upload the cert to the website to do the converting, then you will need a local install of OpenSSL to do the converting.
    • If you use the online converter, then you will get a .pem file back. In the .pem file there will be two sections: one for the key and one for the cert.
  3. You will then copy everything from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY----- (including the begin and end lines themselves) and paste that into a new text file MyKeyFile.key.
  4. Repeat the process for everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and paste that into a new text file MyCertFile.pem (or MyCertFile.crt - either is fine, but Windows doesn’t really know what to do with a .pem file).
  5. Finally, use those two new files in the authproxy config for ldap_server_auto: ssl_key_path=MyKeyFile.key and ssl_cert_path=MyCertFile.pem.

ETA: I just realized you need the opposite of the answer I shared. There is a discussion on Stackoverflow on how to convert a CERT/PEM certificate to a PFX certificate which may be helpful here