Create pfx certificate with Root CA included in Ubuntu 16.04


I am using ESET ERA (Security Software Remote Administration Console) on a VPS running on Ubuntu 16.04 x64. The Mobile Device Connecter module in the software requires a pkcs12 (.pfx) file for the domain on which it will be used.

While using version 6 of ESET, I used the command :

sudo openssl pkcs12 -inkey /etc/letsencrypt/live/my.domain/privkey.pem -in /etc/letsencrypt/live/my.domain/fullchain.pem -export -out /etc/letsencrypt/live/my.domain/certificate.pfx -password pass:pass123

to generate the required .pfx file and it worked. But from version 7, the requirements have changed and now the software requires that the pfx file should include issuer root CA certificate alongwith the chain and certificate for the domain. I am assuming that the command that I use above does not include the root CA certificate as the software gives an error that the HTTPS certificate chain is incomplete.

Can any one please provide a step by step guide / command on how to generate a pfx file with issuer root CA certificate alongwith the chain and certificate.



Certbot doesn’t keep a copy of the root certificate because, well, it doesn’t know about the root certificate. Under ACME, it could change at any moment (but probably won’t!).

For your needs, you could have your script append the DST Root CA X3 PEM to tne end of fullchain.pem before converting it to PFX. I don’t think there’s any reliable way of determine what the “current root” is, apart from looking at the Issuer field of the intermediate, and then looking that up in your local trust store.


Appending DST Root CA X3 PEM to fullchain.pem did the trick