194

How to generate a .pem CA certificate and client certificate from a PFX file using OpenSSL.

nyedidikeke
  • 6,899
  • 7
  • 44
  • 59
new bie
  • 2,745
  • 6
  • 24
  • 26

5 Answers5

282

Another perspective for doing it on Linux... here is how to do it so that the resulting single file contains the decrypted private key so that something like HAProxy can use it without prompting you for passphrase.

openssl pkcs12 -in file.pfx -out file.pem -nodes

Then you can configure HAProxy to use the file.pem file.

This is an EDIT from previous version where I had these multiple steps until I realized the -nodes option just simply bypasses the private key encryption. But I'm leaving it here as it may just help with teaching.

openssl pkcs12 -in file.pfx -out file.nokey.pem -nokeys
openssl pkcs12 -in file.pfx -out file.withkey.pem
openssl rsa -in file.withkey.pem -out file.key
cat file.nokey.pem file.key > file.combo.pem
  1. The 1st step prompts you for the password to open the PFX.
  2. The 2nd step prompts you for that plus also to make up a passphrase for the key.
  3. The 3rd step prompts you to enter the passphrase you just made up to store decrypted.
  4. The 4th puts it all together into 1 file.

Then you can configure HAProxy to use the file.combo.pem file.

The reason why you need 2 separate steps where you indicate a file with the key and another without the key, is because if you have a file which has both the encrypted and decrypted key, something like HAProxy still prompts you to type in the passphrase when it uses it.

user2415376
  • 3,440
  • 2
  • 16
  • 13
  • 1
    I havent spent the time to get intimately familiar with openssl, but the pem conversion was not including the private key. The edit provided the detail on how to merge the cert and key into one pem file, just what I needed. – ebt Dec 08 '14 at 16:33
  • 3
    On windows systems use type instead of cat – hupseb Jan 31 '15 at 09:17
  • 2
    On Windows this version of OpenSSL is easy to use for things like this: http://slproweb.com/products/Win32OpenSSL.html – Helge Klein May 05 '16 at 16:49
  • 1
    The above steps worked well to convert a PFX to PEM. I had to do one additional step however: open the nokey PEM file in a text editor and move the last certificate in the chain to the top of the file. Otherwise nginx would throw an error complaining about the certs and refuse to use them. – EugeneRomero Mar 17 '17 at 20:55
  • In that case you could reorder the cat command to put it first. like: cat file.key file.nokey.pem > file.combo.pem Unless the file.key itself has multiple in wrong order. But either case, you could likely re-arrange stuff programmatically. – user2415376 Sep 01 '17 at 13:15
  • use this arguments for passwords: '-password p set import/export password source -passin p input file pass phrase source -passout p output file pass phrase source' – Ivan Temchenko Sep 30 '18 at 13:24
  • Worth mentioning that `openssl` can hang for some people on windows, I found from this [answer](https://stackoverflow.com/a/38202633/198348) that using `winpty` helps fix the terminal I/O. – Ehtesh Choudhury Dec 12 '18 at 10:07
  • I had to append clcerts too: `openssl pkcs12 -in file.pfx -out file.pem -nodes -clcerts` then I get a single file I could use with `cert` – dashesy Sep 10 '20 at 20:24
143

You can use the OpenSSL Command line tool. The following commands should do the trick

openssl pkcs12 -in client_ssl.pfx -out client_ssl.pem -clcerts

openssl pkcs12 -in client_ssl.pfx -out root.pem -cacerts

If you want your file to be password protected etc, then there are additional options.

You can read the entire documentation here.

Tom Padilla
  • 924
  • 10
  • 30
Jay
  • 24,173
  • 25
  • 93
  • 141
  • 1
    This only worked on Windows when I used the OpenSSL .exe in "C:\Program Files\Git\usr\bin\openssl.exe". When I used `openssl` from the git bash I got errors of `openssl pfx to pem error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong` – Chris Halcrow May 10 '21 at 03:24
  • External reference not working, here is the updated [URL..](https://www.openssl.org/docs/man1.1.1/man1/pkcs12.html) – Shekar Kola Jan 25 '23 at 06:27
94

Despite that the other answers are correct and thoroughly explained, I found some difficulties understanding them. Here is the method I used (Taken from here):

First case: To convert a PFX file to a PEM file that contains both the certificate and private key:

openssl pkcs12 -in filename.pfx -out cert.pem -nodes

Second case: To convert a PFX file to separate public and private key PEM files:

Extracts the private key form a PFX to a PEM file:

openssl pkcs12 -in filename.pfx -nocerts -out key.pem

Exports the certificate (includes the public key only):

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

Removes the password (paraphrase) from the extracted private key (optional):

openssl rsa -in key.pem -out server.key
Mohammed Noureldin
  • 14,913
  • 17
  • 70
  • 99
  • 3
    In the first case, I get prompted for a password, even though the original certs didn't have one. – openCivilisation Apr 17 '21 at 14:50
  • 9
    @openCivilisation You can disable the setting of a PEM pass phrase for the key.pem by adding `-nodes` after the `pkcs12` – leonheess Nov 10 '21 at 20:09
  • 1
    In case any one wonders, -nodes means "no des", not the English word "note". See https://stackoverflow.com/questions/5051655/ – Lionet Chen Apr 12 '23 at 00:05
6

You can extract ca-bundle, .crt and .key from .pfx using this.

# Extracting ca-certs..."
  openssl pkcs12 -in ${filename}.pfx -nodes -nokeys -cacerts -out ${filename}-ca.crt

# Extracting key file..."
  openssl pkcs12 -in ${filename}.pfx -nocerts -out ${filename}.key

# Extracting crt..."
  openssl pkcs12 -in ${filename}.pfx -clcerts -nokeys -out ${filename}.crt

# combine ca-certs and cert files
  cat  ${filename}.crt ${filename}-ca.crt > ${filename}-full.crt

# Removing passphrase from keyfile"
  openssl rsa -in ${filename}.key -out ${filename}.key

Link: https://gist.github.com/mediaupstream/a2694859b1afa59f26be5e8f6fd4806a

iamattiq1991
  • 746
  • 9
  • 11
1

For PFX that is locked with a password

It is recommended to combine the password argument, in one command, with the conversion, to avoid errors.

like this: This command is for extracting the private key

openssl pkcs12 -in "blablabla.pfx" -out key.key -nodes -passin pass:blablabla

and this command for extracting the public key

openssl pkcs12 -in "blablabla.pfx" -clcerts -nokeys -out crt.crtpem -nodes -passin pass:blablabla
ben
  • 71
  • 1
  • 4