Чтобы использовать сертификат формата PFX в Kaspersky Security Center Web Console, вам необходимо предварительно преобразовать его в формат PEM с помощью любой кроссплатформенной утилиты на основе OpenSSL.
Чтобы преобразовать сертификат из формата PFX в формат PEM в операционной системе Windows:
- В кроссплатформенной утилите на основе OpenSSL выполните следующие команды:
openssl pkcs12 -in <filename.pfx> -clcerts -nokeys -out server.crtopenssl pkcs12 -in <filename.pfx> -nocerts -nodes -out key.pemВ результате вы получаете открытый ключ в виде файла .crt и закрытый ключ в виде защищенного парольной фразой файла .pem.
- Убедитесь, что файлы .crt и .pem сгенерированы в той же папке, где хранится .pfx файл.
- Если файл .crt или .pem содержит «пакет атрибутов», удалите эти атрибуты с помощью любого удобного текстового редактора и сохраните файл.
- Перезапустите службу Windows.
- Kaspersky Security Center Web Console не поддерживает сертификаты, защищенные парольной фразой. Поэтому выполните следующую команду в кроссплатформенной утилите на основе OpenSSL, чтобы удалить парольную фразу из файла .pem:
openssl rsa -in key.pem -out key-without-passphrase.pemНе используйте одно и то же имя для входных и выходных файлов .pem.
В результате новый файл .pem не зашифрован. Вводить парольную фразу для его использования не нужно.
Файлы .crt и .pem готовы к использованию, поэтому вы можете указать их в мастере установки Kaspersky Security Center Web Console.
Чтобы преобразовать сертификат из формата PFX в формат PEM в операционной системе Linux:
- В кроссплатформенной утилите на основе OpenSSL выполните следующие команды:
openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.crtopenssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > key.pem - Убедитесь, что файл сертификата и закрытый ключ сгенерированы в той же папке, где хранится файл PFX.
- Kaspersky Security Center Web Console не поддерживает сертификаты, защищенные парольной фразой. Поэтому выполните следующую команду в кроссплатформенной утилите на основе OpenSSL, чтобы удалить парольную фразу из файла .pem:
openssl rsa -in key.pem -out key-without-passphrase.pemНе используйте одно и то же имя для входных и выходных файлов .pem.
В результате новый файл .pem не зашифрован. Вводить парольную фразу для его использования не нужно.
Файлы .crt и .pem готовы к использованию, поэтому вы можете указать их в мастере установки Kaspersky Security Center Web Console.
Do you want to convert PFX file to PEM using OpenSSL in Windows? Well, this tutorial will explain how to do the same. Sometimes, you might want to convert your .p12 certificate file into .pem file (Personal Information Exchange), so that it can be used in grid computing environments or even in a Netscaler gateway. This tutorial will explain how to convert PFX file to PEM using Win32 OpenSSL utility on Windows operating system. If you want to do the same on Linux operating system, then here’s a guide for that.
How to convert PFX file to PEM using OpenSSL in Windows?
Step 1: Download and install Win32 OpenSSL package.
Step 2: Now create a folder to store converted certificate files. Say, D:\certificate
Step 3: Copy .p12 certificate file into the folder created in step 2.
Step 4: Launch command prompt via Run > cmd
Step 5: Switch to the directory created in step 2.
cd D:\Certificates
Step 6: Create certificate file using the below OpenSSL command and enter the Import Password set while exporting the certificate from the browser.
openssl pkcs12 -in test.p12 -out test.crt.pem -clcerts -nokeysSample screenshot:
Step 7: Create certificate private key using the below OpenSSL command and enter the Import Password set while exporting the certificate from the browser.
openssl pkcs12 -in test.p12 -out test.key.pem -nocerts -nodes
Sample screenshot:
Now, your certificate file is test.crt.pem and private key is test.key.pem.
You can also convert .p12 into .pem that contains both the certificate & private key. To do that, run the below command and enter Import Password set while exporting the certificate from the browser. You will be asked to set new PEM pass phrase to protect the converted file.
D:\Certificate>openssl pkcs12 -in test.p12 -out test.pem Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
Note:
It’s important to remember the PEM pass phrase, as you will need it later.
That’s it! Now you can use the PEM certificate formats in grid computing environment. For example, you may want to generate Grid proxy using the PEM certificate files. To do that, you need to run the grid-proxy-init command as shown below.
$ grid-proxy-init -cert test.crt.pem -key test.key.pem
Post Views: 10,633
Introduction
What is PFX
A PFX (Personal Information Exchange) file is a format used to store a combination of a private key, a public key, and the corresponding digital certificate. It is also known as a PKCS #12 file. These files are used primarily for securing and transferring digital certificates and their associated private keys.
PFX files are often used in scenarios where both the certificate and the private key need to be exported or imported together. For instance, when installing SSL/TLS certificates on web servers, the PFX file can be used to easily import both the certificate and its associated private key onto the server, simplifying the setup process.
PFX files are password-protected to ensure security. Users typically set a password during the creation of the PFX file, which is required to access the private key and the certificate stored within it.
If you need to get free SSL Certificate for Linux, please check Securing Your Website: A Simple Guide to Install Lets Encrypt Certificate on Linux
What are crt and key files?
.crt and .key files are file extensions used for storing specific components related to SSL/TLS certificates and their corresponding private keys.
1 .crt (Certificate file):
The .crt file, also known as a certificate file, contains the public portion of an SSL/TLS certificate. It contains information about the certificate’s owner, the certificate’s validity period, the digital signature of the certificate authority (CA) that issued it, and the public key. This file is often used to install SSL/TLS certificates on web servers or other applications requiring secure communication.
2 .key (Private Key file):
The .key file holds the private key corresponding to the certificate file’s public key (.crt). This private key is essential for decrypting data that has been encrypted using the public key associated with the certificate. The private key should be kept confidential and securely stored, as it is a critical component in establishing secure connections and encrypting sensitive information.
Let’s now see How to Convert PFX to Crt/PEM & Key Files
Prerequisites:
- Download OpenSSL from Here
- Keep ready the certificate PFX file which was exported (with password) from Windows Certificate or IIS or from Azure Platform etc..
- Install Open SSL (usually installed in C:\Program Files\OpenSSL-Win64\)
Steps to Convert PFX to .Crt/PEM & .Key Files
- Open Command Prompt as Administrator (right-click on Command Prompt and select Run as Administrator)
- Switch to OpenSSL path i.e. C:\Program Files\OpenSSL-Win64\
- Verify that the Command Prompt path should be like below
4. Copy the PFX certificate files for ex:- certificate.pfx (please replace it with your actual file name) into the “C:\Program Files\OpenSSL-Win64\bin” folder (else you can mention the absolute path of the file)
5. After copying the SSL files into the Bin folder. Run the below commands in the command prompt to export the private key file:
openssl pkcs12 -in certificate.pfx -nocerts -out certificate.keyIt will prompt for the pfx file password to import the certificate. Then it will ask to provide the new password for key file, provide the new password twice and press enter, there will be no error thrown which means it has successfully exported the key file
6. Now enter the next command as mentioned below to export .cer file from PFX:
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes Again it will prompt for the password of pfx file (which was created above on point 5.). If export is successful then there will be no error or message.
7. The last command is to convert the private key file to be used without the password which may be the requirement in some scenarios like in Nginx or Apache, please replace the certificate.key file name with your actual filename which was created on Step 5.
openssl rsa -in certificate.key -out certificate_pvt.keyIt will prompt for the password that you have created in Step 5 while exporting the private key file from PFX.
Now, check the location “C:\Program Files\OpenSSL-Win64\bin” or if you have used the absolute path for Crt and Key files.
You have Successfully converted the PFX to CRT and Key files that you can use in Apache or Linux or wherever it is required.
Also check Convert SSL Certificate PEM/CRT to PFX
Conclusion
It is quite simple to convert get the CRT and key files from PFX certificate. It can be done through online portal like SSL shopper. However, I would not suggest it as your own certificate would be uploaded on third party server which could be the complaince issue. Rather go for the Offline conversion as mentioned above. If you like this article you can share it further.
- About
- Latest Posts
With 19 years of hands-on experience in the IT industry, I’m passionate about sharing the knowledge I’ve gained across a wide range of technologies. Specializing in Active Directory, Azure, VMware, Windows, and Linux, I am dedicated to empowering IT professionals and enthusiasts with practical insights and solutions.
Whether you’re looking for troubleshooting tips, deep dives into systems architecture, or the latest in cloud computing, I’m here to help you navigate the evolving tech landscape. Let’s connect, learn, and grow together!
📧 ravi.chopra1709@gmail.com
A common task we have to perform in our iPhone and Android app development projects is moving certificates around mixed platform environments, namely from Windows to Linux, or from Windows to Amazon Web Services (AWS).
For example, you may have a certificate and private key installed on a Windows Server machine and used by IIS, but how do you export it so you can then use it within Apache or NGINX running on a Linux server?
Or what about importing the certificate so you can use it to secure a HTTPs endpoint on AWS Application Load Balancer?
In this post, I will show you very quickly how to export and transform a certificate used in Windows so that it can be used in non-Windows environments.
Pre-requisites
- A Windows Server machine with an installed certificate and private key pair. The private key must have been imported and marked as Exportable, otherwise this tutorial will not work.
- OpenSSL module installed for PowerShell.
Export Certificate from Windows
1.) Open up the local machine Certificate Manager (run “certmgr” from the Windows Search box)
2.) Find your installed certificate within one of your local certificate stores, right click on it, go to All Tasks -> Export.
3.) This launches the “Certificate Export Wizard”. Within this, click Next and make sure to check the “Yes, export the private key” option.
4.) For the Export File Format, make sure to check “Personal Information Exchange – PKCS #12” and accept the default checked values underneath it.
5.) Set a password that will be used to protect the exported PFX file, note this down for later.
6.) Choose a file location and name, and hit “Finish”.
At this point you now have a .PFX file exported that contains both the public and private keys for the certificate we are looking to convert.
Convert PFX File Format to PEM Format
1.) Open up a PowerShell Command window.
2.) The first step is to export the private key from the PFX file, to do that type:
openssl pkcs12 -in <filename>.pfx -nocerts -out key.pem
This will ask you to input the password you set on the PFX file in Step 5 of the previous section. You will also be prompted to provide a new password for the generated key.pem file, just pick any password for now, we are going to remove it at the end of the tutorial.
3.) Next, we will export the certificate from the pfx file itself and put it into its own .PEM file:
openssl pkcs12 -in <filename>.pfx -clcerts -nokeys -out cert.pem
4.) Finally, we will take the output of step 2 and remove the passphrase from it:
openssl rsa -in key.pem -out server.key
That’s it!
The cert.pem file contains the public key of your certificate. The server.key contains the private key associated with that certificate.
Copy PEM and KEY Files to Linux
1.) Copy the cert.pem and server.key files to your Linux instance.
2.) Ensure the right permissions are set on both files:
- Set the directory permission to 700.
- Set the file permission on both the .pem and .key files to 600.
- Ensure the directory and files themselves are owned by the root user.
3.) Modify Apache or NGINX configurations to reference the above copied files.
Import Certificates into Amazon Certificate Manager
If you are looking to use the certificate within AWS as a SSL certificate on an Application Load Balancer, then you will need to first import the certificates into Amazon Certificate Manager.
1.) Login into the Amazon Certificate Manager
2.) Click on Import Certificate
3.) In the box labelled “Certificate Body”, paste the contents of cert.pem file.
4.) In the box labelled “Certificate Private Key”, paste the contents of the server.key file.
5.) If there is an intermediate certificate authority used by your certificate then copy and paste the public key of any intermediate certificates into the Certificate Chain box.
6.) Modify your Application Load Balancer listener endpoints to use the certificate you imported in step 5.
Bobby Gill
Co-Founder & Chief Architect
at
BlueLabel
|
+ posts
Sometimes you will have an existing PFX file that you want to convert to PEM format. Usually this is due to specific server requirements.
To convert PFX to PEM:
-
To find the password used when the PFX was exported, use the following commands:
Linux $ openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
$ openssl pkcs12 -in [yourfile.pfx] -nocerts -nodes -out [keyfile-encrypted.key] # use this command if the first command generates empty certificate.
Windows C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -nocerts -nodes -out [keyfile-encrypted.key] # use this command if the first command generates empty certificate.
-
Convert encrypted key to unencrypted key:
Linux $ openssl rsa -in [keyfile-encrypted.key] -out server.key
Windows C:\xampp\apache\bin\openssl rsa -in [keyfile-encrypted.key] -out server.key
-
Extract the server certificate and convert to PEM format:
Linux $ openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out server.crt
Windows C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out server.crt
-
Extract the server certificate chain:
Linux $ openssl pkcs12 -in [yourfile.pfx] -cacerts -nokeys -out [server-ca.crt]
Windows C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -cacerts -nokeys -out [server-ca.crt]
-
(optional) In case your file is in p7b format, extract the server certificate and convert to PEM format
Linux $ openssl pkcs7 -print_certs -in [yourfile.p7b] -out server.crt
Windows C:\xampp\apache\bin\openssl pkcs7 -print_certs -in [yourfile.p7b] -out server.crt
Now you can use the server.crt, server-ca.crt and server.key files appropriately.