Home > General > Converting a PFX file to PEM and Key via openssl

Converting a PFX file to PEM and Key via openssl

For some wierd reason, although the steps are simple, i cannot easily find a single page which gives you the exact steps (only 4) to convert a pfx file to a PEM and a KEY file

below are the steps to convert, it will generate an aa_s.key and a aa.pem which you can then use to put into your system e.g apache, hmailserver etc

REM Set the path to include the openssl directory

set path=%path%;C:\OpenSSL\bin;

REM Export the private key
openssl pkcs12 -in aa.pfx -out aa.key -nocerts -nodes

REM take out the encryption from the private key
openssl rsa -in aa.key -out aa_s.key

REM export the ssl cert (normal cases)
openssl pkcs12 -in aa.pfx -out aa.pem -nokeys -clcerts

REM export the ssl cert (Crescendo load balancers)

openssl pkcs12 -in aa.pfx -out aa_tmp_cn.pem -nodes
openssl x509 -in aa_tmp_cn.pem -out aa_cn.pem -text

REM Verification: run the following 2 commands, the output should be exactly the same
openssl x509 -noout -modulus -in aa.pem | openssl md5
openssl x509 -noout -modulus -in aa_cn.pem | openssl md5
openssl rsa -noout -modulus -in aa_s.key  | openssl md5

Done!

Advertisements
Categories: General
  1. John
    May 23, 2012 at 10:25 am

    Thanks!!

    The take out the encryption from the private key bit was catching me out and I’ve never seen anyone make a direct reference to it!

  2. August 22, 2012 at 2:33 am

    Excelente post, so usefull!

  3. January 25, 2013 at 8:14 pm

    How can I create Certificate Chain from .pfx file , Thank you

    • February 14, 2013 at 7:32 am

      The better way would be to export each cert in the chain one by one then combine them together once you have them all in a pem file

  4. Ahmed Ismail
    March 20, 2013 at 5:43 am

    What about if using a password encrypting the pfx file?

    • March 20, 2013 at 6:30 am

      It will prompt you to enter password

  5. Ahmed Ismail
    March 20, 2013 at 6:55 am

    Thank you!

  6. March 2, 2015 at 10:51 pm

    There is a typo: “openssl pkcs12 -in a.apfx -out aa_tmp_cn.pem -nodes” – “openssl pkcs12 -in aa.pfx -out aa_tmp_cn.pem -nodes”.

    • Jacob
      September 15, 2015 at 7:50 am

      Thanks mate I was actually a little thrown off by that typo

    • September 15, 2015 at 12:10 pm

      Ah yes, forgot about that, thanks for pointing it out!

  7. Matt
    July 10, 2016 at 5:44 pm

    Thank you! used this to export my windows cert with key for PRTG!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: