Debug School

Cover image for Convert SSL Certificates
Suyash Sambhare
Suyash Sambhare

Posted on

Convert SSL Certificates

How to generate a .pem CA certificate and client certificate from a PFX file using OpenSSL.

Different platforms and devices require SSL certificates to be converted to different formats.
For example, a Windows server exports and imports .pfx files while an Apache server uses individual PEM (.crt, .cer) files.
To use the OpenSSL Converter, just select your certificate file and its current type and then select what type you want to convert the certificate to and Convert the Certificate.
Use the OpenSSL Converter to convert SSL certificates to and from different formats such as pem, der, p7b, and pfx.

PEM Format

  • The PEM format is the most common in that Certificate Authorities issue certificates.
  • PEM certificates usually have extensions such as .pem, .crt, .cer, and .key.
  • They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements.
  • Server certificates, intermediate certificates, and private keys can all be put into the PEM format.
  • Apache and other similar servers use PEM format certificates.
  • Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.

DER Format

  • The DER format is simply a binary form of a certificate instead of the ASCII PEM format.
  • It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements.
  • All types of certificates and private keys can be encoded in DER format.
  • DER is typically used with Java platforms.
  • The SSL Converter can only convert certificates to DER format.

PKCS#7/P7B Format

  • The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extension of .p7b or .p7c.
  • P7B certificates contain "-----BEGIN PKCS7-----" and "-----END PKCS7-----" statements.
  • A P7B file only contains certificates and chain certificates, not the private key.
  • Several platforms support P7B files including Microsoft Windows and Java Tomcat.

PKCS#12/PFX Format

  • The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file.
  • PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

OpenSSL Commands to Convert SSL Certificates

When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file.
You will need to open the file in a text editor to copy each certificate and private key (including the BEGIN/END statements) to its text file and save them as a certificate.cer, CACert.cer, and privateKey.key respectively.

It is highly recommended that you convert to and from .pfx files on your machine using OpenSSL so you can keep the private key there.

Certificate

Use the following OpenSSL commands to convert SSL certificate to different formats on your machine:

Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

Convert PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

If you need to convert a Java Keystore file to a different format, it is usually easier to create a new private key and certificates, but it is possible to convert a Java Keystore to PEM format.

Congratulations! 🧞‍♂ī¸đŸ‘†đŸŊđŸĨđŸĒĢđŸĒ”
You have successfully converted so many certificates!

Ref: https://www.sslshopper.com/ssl-converter.html

Top comments (2)

Collapse
 
suyash profile image
Suyash Sambhare

you can even combine the pieces 'on the fly' as long as you put privatekey first
cat privkey.pem mycert.pem chain.pem | openssl pkcs12 -export -out p12

Collapse
 
suyash profile image
Suyash Sambhare

openssl pkcs12 -export -in file -out p12

or ONLY IF the privatekey is first in the file
openssl pkcs12 -export <file -out p12