SSL certificate and key conversion to pfx
The domain name certificates that we buy from Certificate Authorities are key and cer suffixed, which can be used directly on most web servers. However, on Windows IIS, you need a certificate in pfx format.
1. Interconversion of SSL certificate and private key with pfx format
1.1. SSL certificate and private key merge to generate pfx format
We can use openssl
for certificate conversion to generate pfx format certificate file for IIS. Example:
# Generate bitone.dev.pfx based on bitone.dev.key and bitone.dev.cer
openssl pkcs12 -export -out bitone.dev.pfx -inkey bitone.dev.key -in bitone.dev.cer
# Conversion with CA: generate bitone.dev_ca.pfx based on bitone.dev.key, bitone.dev.crt and bitone.dev_ca.crt
openssl pkcs12 -export -out bitone.dev_ca.pfx -inkey bitone.dev.key -in bitone.dev.crt -CAfile bitone.dev_ca.crt
1.2. Extracting private keys and certificates based on pfx files
If you only have certificates in pfx
format, you can also use openssl
to extract keys in key format and certificates in cer/crt format.
The following are examples of commands for reference:
# Certificate and private key extraction to bitone.dev.pem
openssl pkcs12 -in bitone.dev.pfx -nodes -out bitone.dev.pem
# Extract RSA key
openssl rsa -in bitone.dev.pem -out bitone.dev.key
# Extract x509 certificate
openssl x509 -in bitone.dev.pem -out bitone.dev.crt
2. Introduction to different types of certificate formats and encodings
2.1. Different types of certificate encodings and extensions
- The
.CRT
extension is used for certificates. Certificates can be encoded as binaryDER
orASCII PEM
. The CER and CRT extensions are almost synonymous. CER and CRT extensions are almost synonymous. Most commonly used on Unix or Unix-like systems. .CER
is an alternative form of.crt
.- The
.KEY
extension is used for public and private keys PKCS#8. Keys can be encoded as binary DER or ASCII PEM.
2.2. Viewing certificates
openssl x509 -in bitone.dev.pem -text -noout
openssl x509 -in bitone.dev.cer -text -noout
openssl x509 -in bitone.dev.crt -text -noout
openssl x509 -in bitone.dev.der -inform der -text -noout
2.3. Conversion of common certificate types
-
CER/CRT to PEM conversion
The certificate file extension can be changed directly. For example:
bitone.crt -> bitone.pem
. -
Converting PFX to PEM
The PFX format is generally found in windows server. Example of extracting a certificate and private key:
# Extract the certificate. openssl pkcs12 -in bitone.dev.pfx -nokeys -out cert.pem # Extract private key openssl pkcs12 -in bitone.dev.pfx -nocerts -out key.pem -nodes
-
Converting P7B to PEM
The P7B format is typically found in windows server and tomcat. Conversion example:
openssl pkcs7 -print_certs -in bitone.p7b -out bitone.cer
-
DER to PEM conversion
The DER format is typically found in the java platform.
# Converting Certificates openssl x509 -inform der -in bitone.cert.cer -out bitone.cert.pem # Converting Private Keys openssl rsa -inform DER -outform PEM -in bitone.privatekey.der -out bitone.privatekey.pem