Export certificate to PFX
Instructions for exporting the private key, certificate, including intermediate certificates of the certification authority from the PEM (X.509) format to the PFX format, which is suitable for installation on a Windows server with IIS (Internet Information Server).
Export using OpenSSL
To work with certificates, you need to have the OpenSSL library installed. See the OpenSSL for Windows and Mac OSX page for instructions and download links.
Preparation of certificate
We will need certificate and private key files for export. Save everything in 3 files - private key (.key), public key (.pem) and one file will be with intermediate keys from CA (.pem). For export, it does not matter whether the files have the extension .PEM or .TXT and the designation depends on your choice. In terms of orientation, the private key should be named .KEY.
- private key file (saved during generation in Control Panel or OpenSSL)
- certificate file from a certification authority (certified public key)
- file with intermediate certificates of the certification authority
The files contain certificates in PEM format. The keys start and end on -----BEGIN CERTIFICATE----- a -----END CERTIFICATE-----
, the private key -----BEGIN PRIVATE KEY----- a -----END PRIVATE KEY-----
.
Export PEM to PFX (PKCS#12)
For export in OpenSSL we will use the command pkcs12 with set parameters:
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem -certfile cabundle.pem
Or, for example, if we have key-files in TXT format:
pkcs12 -export -out cert.pfx -inkey key.txt -in cert.txt -certfile ca.txt
After startup, you will be required to enter a password + confirmation (min. 4 characters), the certificate is then exported to the cert.pfx file.
If the files are not located in the directory in use, you must specify a path. Certificate files can also have a .txt extension, as shown in the figure.
Check the .pfx key file
After exporting, we recommend checking the .pfx file to see if all certificates have been inserted correctly.
openssl pkcs12 -info -nodes -in cert.pfx
Potential export errors
Error opening input file key/cert.txt
key/cert.txt: No such file or directory
Check the path and file names of the keys.
Unable to load certificate
Check the correct PEM certificate format and content starting with -----BEGIN CERTIFICATE-----.
Working with keys in PFX
To export an encrypted private key from .pfx, use the command: openssl pkcs12 -in cert.pfx -nocerts -out key-crypt.key
Password for encryption must be min. 4 characters long.
Private key decryption: openssl rsa -in key-crypt.key -out key.key
Export certificate (public key) to .crt format: openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.crt
Certificate export to PFX without private key
Certificate export to PFX without private key: openssl pkcs12 -export -out cert.pfx -nokeys -in certificate.pem
Certificate export to PFX without private key with CA intermediate certificates: openssl pkcs12 -export -out cert.pfx -nokeys -in certificate.pem -certfile cabundle.pem
Certificate conversion between different formats
With OpenSSL, various conversions between formats can be performed using the following commands.
Convert PEM → DER
openssl> x509 -outform der -in certificate.pem -out certificate.der
Convert PEM → P7B
openssl> crl2pkcs7 -nocrl -certfile certificate.pem -out certificate.p7b -certfile cacert.pem
Convert DER → PEM
openssl> x509 -inform der -in certificate.cer -out certificate.pem
Convert P7B → PEM
openssl> pkcs7 -print_certs -in certificate.p7b -out certificate.pem
Convert P7B → PFX
openssl> pkcs7 -print_certs -in certificate.p7b -out certificate.pem
openssl> pkcs12 -export -in certificate.pem -inkey privateKey.key -out certificate.pfx -certfile cacert.pem
Convert PFX → PEM
openssl> pkcs12 -in certificate.pfx -out certificate.pem -nodes
Where next?
Back to Help
Found an error or don't understand something? Write us!