Convert PFX Certificate

Convert PFX Certificate

While having your SSL/TLS certificate in a PFX file is great, as most applications support the PFX file, there are still some cases where a PFX file is not supported, and you need the certificate in the PEM format as a CRT file (also called a CER file) with a key file (also called a PEM file).

In this post, I will show you step-by-step how to convert a PFX file into a single file or individual files with and without passwords each method supports the PEM format.

Prerequisites

The Process

Depending on your needs, you may need to convert your PFX file in several different ways. Here are the methods that I will cover.

All of the commands below will use the following options.

Export Certificate Only

The command below will only export the certificate. We use the option clcerts to tell OpenSSL only to export the client certificate and the option nokeys to tell OpenSSL not to output any private keys.

For me, that command will look like OpenSSL pkcs12 -in C:\SSL\wild-ssl-2024.pfx -clcerts -nokeys -out C:\ssl\wild-ssl-2024-cert-only.crt

Export CA Certificates Only

The command below will only export the CA certificates. We use the option cacerts to tell OpenSSL only to export the CA certificates and the option nokeys to tell OpenSSL not to output any private keys.

For me, that command will look like OpenSSL pkcs12 -in C:\SSL\wild-ssl-2024.pfx -cacerts -nokeys -out C:\ssl\wild-ssl-2024-ca-cert-only.crt

Export Keys Only without a Password

This one is dangerous as it leaves the private key for your certificate without a password. However, some applications still require this.

The command below will export the private key without encryption, meaning you won’t need a password to use the key file. We will use the option nocerts to tell OpenSSL not to export any certificates and the option noenc to tell OpenSSL not to protect the private keys with a password.

You could use the older nodes option. However, it has been deprecated and replaced by the noenc option.

For me, that command will look like OpenSSL pkcs12 -in C:\SSL\wild-ssl-2024.pfx -nocerts -noenc -out C:\ssl\wild-ssl-2024-keys-only.key

Export Keys Only with a Password

To keep your private key more secure, you can export it with a password, which will also encrypt it. We will do this by omitting the noenc option. We will still use the option nocerts to tell OpenSSL not to export any certificates.

For me, that command will look like OpenSSL pkcs12 -in C:\SSL\wild-ssl-2024.pfx -nocerts -out C:\ssl\wild-ssl-2024-keys-only-enc.key

Export Everything as One File without a Password

Sometimes, you still want to live dangerously and export everything to a single file without a password protecting your private key.

The command below will export everything, including the private key, without encryption. We will use the option noenc to tell OpenSSL not to protect the private keys with a password.

You could use the older nodes option. However, it has been deprecated and replaced by the noenc option.

For me, that command will look like OpenSSL pkcs12 -in C:\SSL\wild-ssl-2024.pfx -noenc -out C:\ssl\wild-ssl-2024-everything.crt

Export Everything as One File with a Password

I like to export everything into a single file and manually pull the items I need from it. The command below will export the client certificate, the CA certificates, and the private key and encrypt the private key with a password.

For me, that command will look like OpenSSL pkcs12 -in C:\SSL\wild-ssl-2024.pfx -out C:\ssl\wild-ssl-2024-everything-enc.crt

Tip

If the application you are uploading the converted certificate to is very picky you may need to manually edit the file with a text editor and remove the extra attributes (sometimes they show up as Bag Attributes and Key Attributes) before the certificates and private key this is a side effect of converting the certificate.

For a clean certificate you should only have -----BEGIN PRIVATE KEY----- which closes with -----END PRIVATE KEY----- along with the various -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- anything outside of that is just extra and not needed.

Unneeded Attributes after conversion

That’s all it takes to convert a PFX certificate file to various other formats with and without a password.

If you want to read more about all the options available for OpenSSL, here is the OpenSSL documentation.

Exit mobile version