Converting Certificates - OpenSSL
Feb 19, 2024
Converting Certificates From One Format to Another
There are several different file formats that can be used to hold certificates and their private keys each with their own benefits. Applications often use different file formats which means that from time to time you may need to convert your certificates from one format to another. To understand how to convert one certificate from one format to another it’s useful to understand how to identify the formats:
- Privacy Enhanced Mail (PEM) – This is one of the most common formats you will see, its easily identifiable because it always starts and ends with “PEM Armor”, this is a header and a footer that declares what is in-between them. For example:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Or
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
Or
-----BEGIN PKCS7-----
-----END PKCS7-----
- PKCS #7 B (P7B) – This format is the "Cryptographic Message Syntax Standard". It generally contains a full certificate chain including the root, intermediate, and end-entity certificate. This is the format that is generally appended to digital signatures.
- PKCS #12/PFX/P12 – This format is the "Personal Information Exchange Syntax Standard". A .pfx will hold a private key and its corresponding public key. It may also include intermediate and root certificates. Pfx/p12 files are password protected. These can be readily imported for use by many browsers and servers including OS X Keychain, IIS, Apache Tomcat, and more.
- Base64 – This is the standardized encoding for .pem files, though other file extensions such as .cer and .crt may also use Base64 encoding.
- DER – Distinguished Encoding Rules; this is a binary format commonly used in X.509 certificates.
While all of this can be a little confusing, thankfully OpenSSL can help you go from one format to another fairly easily. GNU/Linux platforms are generally pre-installed with OpenSSL. Mac OS X also ships with OpenSSL pre-installed. For Windows a Win32 OpenSSL installer is available.
Remember, it’s important you keep your Private Key secured; be sure to limit who and what has access to these keys.
Certificates
- Converting PEM encoded certificate to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
- Converting DER encoded certificate to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
- Converting PEM encoded certificates to PKCS7 (P7B)
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
- Converting PKCS #7 (P7B) to PEM encoded certificates
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Certificates and Keys
- Converting PEM encoded Certificate and private key to PKCS #12 / PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
- Converting PKCS #7 (P7B) and private key to PKCS #12 / PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer;
- Converting PKCS #12 / PFX to PKCS #7 (P7B) and private key
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes