Converting SSL certificates using OpenSSL
Conversion to a combined PEM file
To convert a PFX file to a PEM file that contains both the certificate and private key, the following command needs to be used:
- openssl pkcs12 -in filename.pfx -out cert.pem -nodes
Extract the prive key to a PEM file
We can extract the private key form a PFX to a PEM file with this command:
- openssl pkcs12 -in filename.pfx -nocerts -out key.pem
Exporting the certificate only:
- openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
Removing the password from the extracted private key:
- openssl rsa -in key.pem -out server.key
Extract the CA cert to be able to create a chain certificate:
- openssl pkcs12 -in filename.pfx -nodes -nokeys -cacerts -out cert-ca.pem
From PEM (pem, cer, crt) to PKCS#12 (p12, pfx)
This is the console command that we can use to convert a PEM certificate file (.pem, .cer or .crt extensions), together with its private key (.key extension)
in a single PKCS#12 file (.p12 and .pfx extensions):
- openssl pkcs12 -export -in certificate.crt -inkey privatekey.key -out certificate.pfx
- openssl pkcs12 -export -in certificate.crt -inkey privatekey.key -out certificate.pfx
If you also have an intermediate certificates file (for example, CAcert.crt) , you can add it to the “bundle” using the -certfile command parameter in the following way:
- openssl pkcs12 -export -in certificate.crt -inkey privatekey.key -out certificate.pfx -certfile CAcert.cr
- openssl pkcs12 -export -in certificate.crt -inkey privatekey.key -out certificate.pfx -certfile CAcert.cr
From PKCS#12 to PEM
If you need to “extract” a PEM certificate (.pem, .cer or .crt) and/or its private key (.key)from a single PKCS#12 file (.p12 or .pfx), you need to issue two commands.
The first one is to extract the certificate:
- openssl pkcs12 -in certificate.pfx -nokey -out certificate.crt
And a second one would be to retrieve the private key:
- openssl pkcs12 -in certificate.pfx -out privatekey.key
IMPORTANT: the private key obtained with the above command will be in encrypted format: to convert it in RSA format, you’ll need to input a third command:
- openssl rsa -in certificate.pfx -out privatekey_rsa.key
Needless to say, since PKCS#12 is a password-protected format, in order to execute all the above commands
you’ll be prompted for the password that has been used when creating the .pfx file.
From DER (.der, cer) to PEM
- openssl x509 -inform der -in certificate.cer -out certificate.pem
From PEM (.pem, cer) to DER
- openssl x509 -outform der -in certificate.pem -out certificate.der
From PEM to PKCS#7 (.p7b, .p7c)
- openssl crl2pkcs7 -nocrl -certfile certificate.pem -out certificate.p7b -certfile CAcert.cer
- openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
From PKCS#7 to PEM
- openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
From PKCS#7 to PFX
- openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer
- openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer
# Extract all the certs
- openssl crl2pkcs7 -nocrl -certfile certificate.pem | openssl pkcs7 -print_certs -out foo-certs.pem
Create a Sstrong Naming key
- openssl.exe req -x509 -nodes -sha256 -days 3650 -subj “/CN=Cuplex.org” -newkey rsa:4096 -keyout Local.key -out Local.crt
- openssl.exe pkcs12 -export -in Local.crt -inkey Local.key -CSP “Microsoft Enhanced RSA and AES Cryptographic Provider” -out Local.pfx
Linux
# Bash split into 3 certs
- csplit -f individual- imap.cuplex.se-cert.pem ‘/—–BEGIN CERTIFICATE—–/’ ‘{*}’