A PFX file is a certificate in PKCS#12 format. It contains the SSL certificate (public keys) and the corresponding private keys.
Most of the Certificate Authorities will not issue certificates with the private key. They just issue and share the certificates in .cer, .crt, and .p7b formats which don’t have the private key in most of the cases.
But, sometimes our application needs the certificate in .pfx format.
Now, we have a .cer certificate in our hand, but we need a .pfx certificate to deploy. And, we can’t convert the .cer certificate to .pfx without the private key.
This problem has created confusion in most people and may create delays in the certificate deployment/renewal process. This topic provides instructions on how to convert the .pfx file to .crt and .key files.
Table of Contents
What is a PFX file
The certificate is, nominally, a container for the public key. It includes the public key, the server name, some extra information about the server, and a signature computed by a certification authority (CA). When the server sends its public key to a client, it actually sends its certificate, with a few other certificates (the certificate which contains the public key of the CA which signed its certificate, and the certificate for the CA which signed the CA’s certificate, and so on). Certificates are intrinsically public objects.
A .pfx file is a PKCS#12 archive: a bag that can contain a lot of objects with optional password protection; but, usually, a PKCS#12 archive contains a certificate (possibly with its assorted set of CA certificates) and the corresponding private key.
what is a PEM file
PEM (originally “Privacy Enhanced Mail”) is the most common format for X.509 certificates, CSRs, and cryptographic keys. A PEM file is a text file containing one or more items in Base64 ASCII encoding, each with plain-text headers and footers (e.g. —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–). A single PEM file could contain an end-entity certificate, a private key, or multiple certificates forming a complete chain of trust.
How to convert pfx file to pem file
Run the following command to extract the private key:
- openssl pkcs12 -in output.pfx -nocerts -out private.key
We will be prompted to type the import password. Type the password that we used to protect our keypair when we created the .pfx file.
We will be prompted again to provide a new password to protect the .key file that we are creating. Store the password to our key file in a secure place to avoid misuse.
Run the following command to extract the certificate:
- openssl pkcs12 -in output.pfx -clcerts -nokeys -out certificate.crt
Run the following command to decrypt the private key:
- openssl rsa -in private.key -out decrypted.key
Type the password that we created to protect the private key file in the previous step.
Now we have the private key and certificate now.
A PFX file is a certificate in PKCS#12 format. PKCS#12 is a standard for a container that can hold an X509 client certificate and the corresponding private keys, as well as (optionally) the X509 certificates of the CAs that signed the X509 client certificate(s).