Changing from pfx to pem certificates
Sometimes you may find the necessity to convert a “.pfx” certificate into a “.pem” certificate.
Because for example the system where you are trying to install/import it, is not accepting the “.pfx” format.
Example screenshot, from a F5 HLB
Note: The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys. More info here.
The server, for example in this case the F5 Hardware Load Balancer will require the following two files:
1 – Server.key : the private key associated with the certificate
2 – Server.pem : the certificate with “.pem” format. this is the most common format used for certificates.
For doing this, we will use the software Open SSL –> Using Open SSL, you can extract the certificate and private key.
For information on OpenSSL please visit: www.openssl.org Note: OpenSSL is an open source tool.
Things to do:
You have to download the software OpenSSL and install on the computer that you will use to convert the certificate from pfx to pem format.
You should open a command prompt, and go to the path where the software has been installed. As you can see in the below example screenshots, “D:\OpenSSL-Win32\bin”
To extract the private key from a .pfx file, run the following OpenSSL command:
- openssl pkcs12 -in myCert.pfx -nocerts -out privateKey.pem
Where “myCert.pfx” is replaced with the name of your pfx certificate, and where “privateKey.pem” is replaced by the name you want.
You will be requested to type, the password of the private key you have already on your side.
If there is any error typing the password, you will see “Mac verify error: invalid password?”
If you have typed properly the password of the .pfx certificate, you will see “MAC verified OK”, and you will be requested to “Enter PEM pass phrase:”.
In this case, you can use if you want the same password you already typed previously, when you were requested to “Enter Import Password”
The private key that you have extracted will be encrypted. To unencrypt the file so that it can be used, you need to run the following command:
- openssl rsa -in privateKey.pem -out private.pem
Where “privateKey.pem” is replaced with the name you chose in the previous command, and where “private.pem” is replaced by the name you want.
The resulting private.pem file should be the key file that you want, so you just need to rename the file to “.key” format.
You can now use this as your Server.key file on your Server.
To get the corresponding Server Certificate, you run the following OpenSSL command:
- openssl pkcs12 -in myCert.pfx -clcerts -nokeys -out EntrustCert.pem
Where “myCert.pfx” is replaced with the name of your pfx certificate, and where “EntrustCert.pem” is replaced by the name you want for your certificate.
Open it up using notepad to make sure there is not additional information showing up as text in the file. There may be some additional lines displaying the DN and Bag Attributes. Remove all of this from the file so that you end up with something like this:
—–BEGIN RSA PRIVATE KEY—–
—–END RSA PRIVATE KEY—–
You can now use the resulting file as your “cert_.pem” file in the server.
Now that you have the certificate with the needed format: “cert.pem” and the private key in the needed format: “Server.key”.
You can install/import it on the required system, as for example F5 Hardware Load Balancer.