Skip to end of metadata
Go to start of metadata
  1. Sometimes you will have an existing PFX file that you want to convert to PEM format. To do this procedure, you will need to know the password when the PFX was exported.

    Linux

    $ openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

    $ openssl pkcs12 -in [yourfile.pfx] -nocerts -nodes -out [keyfile-encrypted.key] # use this command if the first command generates empty certificate.

    Windows

    C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

    C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -nocerts -nodes -out [keyfile-encrypted.key] # use this command if the first command generates empty certificate.

     

  2. Convert encrypted key to unencrypted key

    Linux

    $ openssl rsa -in [keyfile-encrypted.key] -out server.key

    Windows

    C:\xampp\apache\bin\openssl rsa -in [keyfile-encrypted.key] -out server.key

     

  3. Extract the server certificate and convert to PEM format

    Linux

    $ openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out server.crt

    Windows

    C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out server.crt

     

  4. Extract the server certificate chain

    Linux

    $ openssl pkcs12 -in [certificate.pfx] -cacerts -nokeys -out [server-ca.crt]

    Windows

    C:\xampp\apache\bin\openssl pkcs12 -in [certificate.pfx] -cacerts -nokeys -out [server-ca.crt]


  5. (optional) In case your file is in p7b format, extract the server certificate and convert to PEM format

    Linux

    $ openssl pkcs7 -print_certs -in [yourfile.p7b] -out server.crt

    Windows

    C:\xampp\apache\bin\openssl pkcs7 -print_certs -in [yourfile.p7b] -out server.crt

Now use the server.crt, server-ca.crt and server.key appropriately.

  • No labels