SSL certificate and key conversion to pfx

blog

The domain name certificates that we buy from Certificate Authorities are key and cer suffixed, which can be used directly on most web servers. However, on Windows IIS, you need a certificate in pfx format.

1. Interconversion of SSL certificate and private key with pfx format

1.1. SSL certificate and private key merge to generate pfx format

We can use openssl for certificate conversion to generate pfx format certificate file for IIS. Example:

# Generate bitone.dev.pfx based on bitone.dev.key and bitone.dev.cer
openssl pkcs12 -export -out bitone.dev.pfx -inkey bitone.dev.key -in bitone.dev.cer
 
# Conversion with CA: generate bitone.dev_ca.pfx based on bitone.dev.key, bitone.dev.crt and bitone.dev_ca.crt
openssl pkcs12 -export -out bitone.dev_ca.pfx -inkey bitone.dev.key -in bitone.dev.crt -CAfile bitone.dev_ca.crt

1.2. Extracting private keys and certificates based on pfx files

If you only have certificates in pfx format, you can also use openssl to extract keys in key format and certificates in cer/crt format.

The following are examples of commands for reference:

# Certificate and private key extraction to bitone.dev.pem
openssl pkcs12 -in bitone.dev.pfx -nodes -out bitone.dev.pem
# Extract RSA key
openssl rsa -in bitone.dev.pem -out bitone.dev.key
# Extract x509 certificate
openssl x509 -in bitone.dev.pem -out bitone.dev.crt

2. Introduction to different types of certificate formats and encodings

2.1. Different types of certificate encodings and extensions

  • The .CRT extension is used for certificates. Certificates can be encoded as binary DER or ASCII PEM. The CER and CRT extensions are almost synonymous. CER and CRT extensions are almost synonymous. Most commonly used on Unix or Unix-like systems.
  • .CER is an alternative form of .crt.
  • The .KEY extension is used for public and private keys PKCS#8. Keys can be encoded as binary DER or ASCII PEM.

2.2. Viewing certificates

openssl x509 -in bitone.dev.pem -text -noout
openssl x509 -in bitone.dev.cer -text -noout
openssl x509 -in bitone.dev.crt -text -noout
 
openssl x509 -in bitone.dev.der -inform der -text -noout

2.3. Conversion of common certificate types

  • CER/CRT to PEM conversion

    The certificate file extension can be changed directly. For example: bitone.crt -> bitone.pem.

  • Converting PFX to PEM

    The PFX format is generally found in windows server. Example of extracting a certificate and private key:

    # Extract the certificate.
openssl pkcs12 -in bitone.dev.pfx -nokeys -out cert.pem
# Extract private key
openssl pkcs12 -in bitone.dev.pfx -nocerts -out key.pem -nodes

  • Converting P7B to PEM

    The P7B format is typically found in windows server and tomcat. Conversion example:

    openssl pkcs7 -print_certs -in bitone.p7b -out bitone.cer

  • DER to PEM conversion

    The DER format is typically found in the java platform.

    # Converting Certificates
openssl x509 -inform der -in bitone.cert.cer -out bitone.cert.pem
# Converting Private Keys
openssl rsa -inform DER -outform PEM -in bitone.privatekey.der -out bitone.privatekey.pem