Skip to content

OpenSSL Certificate Conversion Commands

OpenSSL is a robust tool for managing certificates in various formats. Different systems require different file extensions and encoding schemes (such as PEM, DER, or PKCS#12), making conversion a necessary task for system administrators and developers.^[600-developer__tools__security__security-file-extension-name.md]

This page outlines common openssl commands used to convert between these formats.

Convert PFX to PEM (Public Key)

To extract only the public key (certificate) from a PKCS#12 file (typically .pfx or .p12) and save it in PEM format, use the pkcs12 command with the -nokeys option^[600-developer__tools__security__security-file-extension-name.md].

[OpenSSL](<./openssl.md>) pkcs12 -in localhost.pfx -out localhost.crt -nokeys -nodes
  • -in: The input PFX filename.
  • -out: The output filename for the public key.
  • -nokeys: Tells OpenSSL not to output the private key.
  • -nodes: Disables DES encryption on the output, preventing a password prompt for the exported key.

This is commonly required when moving certificates from Windows environments (which often use PFX) to Linux environments (which typically use PEM)^[600-developer__tools__security__security-file-extension-name.md].

Convert PEM to PFX

To combine a separate private key and certificate into a single PKCS#12 file (.pfx), use the -export flag^[600-developer__tools__security__security-file-extension-name.md]. You will be prompted to set an export password to protect the file.

[OpenSSL](<./openssl.md>) pkcs12 -export -in server.crt -inkey server.key -out server.pfx
  • -in: The input certificate file (PEM format, e.g., .crt).
  • -inkey: The input private key file (PEM format, e.g., .key).
  • -out: The output PFX filename.

Common Certificate Formats

Understanding the differences between file formats is helpful when performing conversions^[600-developer__tools__security__security-file-extension-name.md].

  • PEM: The most common format, used by servers like Apache. It is Base64 encoded ASCII. Extensions include .pem, .crt, .cer, and .key.
  • DER: A binary format often used in Java platforms. It does not contain "BEGIN/END CERTIFICATE" statements.
  • PKCS#7 (P7B): Stored in Base64 ASCII format. It contains certificates and chain certificates but not the private key.
  • PKCS#12 (PFX/P12): A binary format used to store the server certificate, intermediate certificates, and the private key in a single encrypted file.
  • [[PKCS#12]]
  • [[Cryptography]]
  • [[Certificate Signing Request (CSR)]]
  • TLS/SSL

Sources

  • 600-developer__tools__security__security-file-extension-name.md