pfx to pem certificate conversion with openssl

I work in a mixed Linux and Windows environment. Our Certificate Authority is Windows. Unfortunately the Windows CA does not support exporting a certificate in PEM (Privacy Enhanced Mail Certificate) format. Fortunatley there is a relativity easy work around. Which requires one to download OpenSSL utilities. Most Linux applications I have supported require the certificate be in a PEM format to be readable.

In this example I export the certificate with the private key from the Windows CA. Using the openssl utility to extract the private key ( .pem file) from .pfx (Personal Information Exchange).

PFX: Defines a file format commonly used to store private with accompanying public key certificates, protected with a password-based symmetric key (standard-PKCS12).

PEM : Openssl usages PEM (Privacy Enhanced Mail Certificate) to store the private key.

If you have downloaded the openssl utility, then go to command prompt and run the following commands. If not, download it from openssl, you can either download binary or source and then compile.

Execute the following command to extract the private key from the PFX file.

STEP 1. Extract the private key from the PFX file.

openssl pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem

STEP 2. To extract the certificate in PEM format from the publicly signed certificate.

openssl pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem

STEP 3. To remove the password from the private key file. Some applications require that the password be removed from the private key or they will fail to start.

openssl rsa -in privateKey.pem -out privateNoPassword.pem 

In addition, the certificate files should be secured so that only root has access to them.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s