INFORMATICS

The Best

How to Create a PFX Certificate File from a PEM File

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

How to Create a PFX Certificate File from a PEM File

Issue

Some certificate authorities (such as RapidSSL) only supply certificate in the form of a PEM file, which is not usable by many Windows services.

In the case of RapidSSL, the PEM file may not have been generated as a part of a certificate signing request.

How to Convert PEM to PFX

  • Install the latest stable Open SSL. The main page is here or you can find good Windows binaries here.
  • Copy the PEM file to the OpenSSL binary folder, such as C:\Program Files\OpenSSL-Win64\bin
  • Open an administrative command prompt or Powershell window to that folder
  • Type in:

.\openssl pkcs12 -export -out result.pfx -inkey mypemfile.pem -in mypemfile.pem

  • You will be prompted for a PFX password as part of the process. You must securely store the password with the PFX file to be able to use it.
  • Above, the -inkey command is used to input the private key. If you have a separate certificate signing request (CSR) this would likely not be in the .PEM file, but would be in a separate .CRT file:

.\openssl pkcs12 -export -out result.pfx -inkey mycsrkeyfile.crt -in mypemfile.cer

Also see here.

Applies to:

  • Windows Server services that require a PFX certificate that includes the private key

 

The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key into a single encryptable file. PFX files are usually found with the extensions .pfx and .p12. PFX files are typically used on Windows and macOS machines to import and export certificates and private keys.

Requirements

  • The original private key used for the certificate
  • A PEM (.pem, .crt, .cer) or PKCS#7/P7B (.p7b, .p7c) File
  • OpenSSL (included with Linux/Unix and macOS, and easily installed on Windows with Cygwin)

The commands below demonstrate examples of how to create a .pfx/.p12 file in the command line using OpenSSL:

PEM (.pem, .crt, .cer) to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt

Breaking down the command:

  • openssl – the command for executing OpenSSL
  • pkcs12 – the file utility for PKCS#12 files in OpenSSL
  • -export -out certificate.pfx – export and save the PFX file as certificate.pfx
  • -inkey privateKey.key – use the private key file privateKey.key as the private key to combine with the certificate.
  • -in certificate.crt – use certificate.crt as the certificate the private key will be combined with.
  • -certfile more.crt – This is optional, this is if you have any additional certificates you would like to include in the PFX file.

PKCS#7/P7B (.p7b, .p7c) to PFX

P7B files cannot be used to directly create a PFX file. P7B files must be converted to PEM. Once converted to PEM, follow the above steps to create a PFX file from a PEM file.

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

Breaking down the command:

  • openssl – the command for executing OpenSSL
  • pkcs7 – the file utility for PKCS#7 files in OpenSSL
  • -print_certs -in certificate.p7b – prints out any certificates or CRLs contained in the file.
  • -out certificate.crt – output the file as certificate.crt
Note: You can also use OpenSSL to extract the certificates and private key from a PKCS#12/PFX file.

Search