Is it possible to convert a .pfx (Personal Information Exchange) file to a .cer (Security Certificate) file? Unless I'm mistaken, isn't a .cer somehow embedded inside a .pfx? I'd like some way to extract it, if possible.
Asked
Active
Viewed 4.2e+01k times
8 Answers
274
PFX files are PKCS#12 Personal Information Exchange Syntax Standard bundles. They can include arbitrary number of private keys with accompanying X.509 certificates and a certificate authority chain (set certificates).
If you want to extract client certificates, you can use OpenSSL's PKCS12 tool.
openssl pkcs12 -in input.pfx -out mycerts.crt -nokeys -clcerts
The command above will output certificate(s) in PEM format. The ".crt" file extension is handled by both macOS and Window.
You mention ".cer" extension in the question which is conventionally used for the DER encoded files. A binary encoding. Try the ".crt" file first and if it's not accepted, easy to convert from PEM to DER:
openssl x509 -inform pem -in mycerts.crt -outform der -out mycerts.cer
hemp
- 5,602
- 29
- 43
Berk D. Demir
- 6,053
- 3
- 17
- 11
-
18+1 for explaining what the file is in addition to providing the commands. – Joshua Drake Feb 28 '12 at 14:47
-
"Mac verify error: invalid password?" when I tried it. I don't know any passwords, I just have the file my vendor supplied. – Brian Knoblauch Apr 14 '14 at 20:13
-
1IT seems like dropping "-nokeys" works when you are attemtping to convert a certificate with its private keys, say for use with Fiddler – Gert van den Berg Nov 17 '16 at 07:46
-
@Berk, Aside from OpenSSL, does Windows cmd have any way to do it? – Pacerier Nov 19 '16 at 22:17
105
the simple way I believe is to import it then export it, using the certificate manager in Windows Management Console.
Andrew Cox
- 10,672
- 3
- 33
- 38
-
10i tried doing this but when i select export private key , i am getting .cer (DER encoded) option disabled . and midletsigner utility need provatekey anyhow.. – jmj Apr 28 '10 at 04:38
-
3You have to check the box when you import it, that says "mark this key as exportable" – Andrew Cox Apr 28 '10 at 08:35
-
12How to get to the Certificate Manager in Windows: http://msdn.microsoft.com/en-us/library/ms788967.aspx – James White Feb 04 '11 at 21:35
-
13The easier way to open the Windows certificate manager is to type "certmgr.msc" at the command prompt. – Jan Derk Jul 03 '15 at 09:00
-
@AndrewCox, However is there any difference behind-the-scenes between marking it as exportable and not marking it as such. Or is it simply a UI option? – Pacerier Nov 19 '16 at 22:16
63
If you're working in PowerShell you can use something like the following, given a pfx file InputBundle.pfx, to produce a DER encoded (binary) certificate file OutputCert.der:
Get-PfxCertificate -FilePath InputBundle.pfx |
Export-Certificate -FilePath OutputCert.der -Type CERT
Newline added for clarity, but you can of course have this all on a single line.
If you need the certificate in ASCII/Base64 encoded PEM format, you can take extra steps to do so as documented elsewhere, such as here: https://superuser.com/questions/351548/windows-integrated-utility-to-convert-der-to-pem
If you need to export to a different format than DER encoded, you can change the -Type parameter for Export-Certificate to use the types supported by .NET, as seen in help Export-Certificate -Detailed:
-Type <CertType>
Specifies the type of output file for the certificate export as follows.
-- SST: A Microsoft serialized certificate store (.sst) file format which can contain one or more certificates. This is the default value for multiple certificates.
-- CERT: A .cer file format which contains a single DER-encoded certificate. This is the default value for one certificate.
-- P7B: A PKCS#7 file format which can contain one or more certificates.
Ian Gallagher
- 795
- 5
- 8
-
Export-Certificate is only available for some versions like Win 8.1 and Server 2012 R2 though. If you're in some other version like Win 7, then no luck! – Deep-B May 20 '15 at 18:21
-
1It should be present in Server 2012 and Windows 8.0 (https://technet.microsoft.com/en-us/library/hh848628(v=wps.620).aspx), but good point about Windows 7 and such! – Ian Gallagher May 21 '15 at 19:36
-
-
This is way more convenient if you don't want to install OpenSSL stuff! – Leonardo Herrera Jul 07 '20 at 19:30
33
I wanted to add a method which I think was simplest of all.
Simply right click the pfx file, click "Install" follow the wizard, and add it to a store (I added to the Personal store).
In start menu type certmgr.msc and go to CertManager program.
Find your pfx certificate (tabs at top are the various stores), click the export button and follow the wizard (there is an option to export as .CER)
Essentially it does the same thing as Andrew's answer, but it avoids using Windows Management Console (goes straight to the import/export).
kingPuppy
- 2,937
- 1
- 18
- 18
-
Not much faster since you'd still have to open certmgr.msc to export it.... – Pacerier Nov 19 '16 at 22:18
-
i knew there was an easy way to do this, thank you very much! worked like a charm `[+1]` – kapitan Feb 15 '23 at 06:19
3
You can extract ca-bundle, .crt and .key from .pfx using this.
# Extracting ca-certs..."
openssl pkcs12 -in ${filename}.pfx -nodes -nokeys -cacerts -out ${filename}-ca.crt
# Extracting key file..."
openssl pkcs12 -in ${filename}.pfx -nocerts -out ${filename}.key
# Extracting crt..."
openssl pkcs12 -in ${filename}.pfx -clcerts -nokeys -out ${filename}.crt
# combine ca-certs and cert files
cat ${filename}.crt ${filename}-ca.crt > ${filename}-full.crt
# Removing passphrase from keyfile"
openssl rsa -in ${filename}.key -out ${filename}.key
iamattiq1991
- 746
- 9
- 11
2
- Start OpenSSL from the OpenSSL\bin folder.
- Open the command prompt and go to the folder that contains your .pfx file.
- Run the following command to extract the private key: openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key] You will be prompted to type the import password. Type the password that you used to protect your keypair when you created the .pfx file. You will be prompted again to provide a new password to protect the .key file that you are creating. Store the password to your key file in a secure place to avoid misuse.
- Run the following command to extract the certificate: openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]
- openssl rsa -in [drlive.key] -out [drlive-decrypted.key]
Convert .pfx file to .pem format
There might be instances where you might have to convert the .pfx file into .pem format. Run the following command to convert it into PEM format.
openssl rsa -in [keyfile-encrypted.key] -outform PEM -out [keyfile-encrypted-pem.key]
source :https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file
mostafa kazemi
- 514
- 6
- 7
1
Might be irrelevant to OP's Q, but I've tried all openssl statements with all the different flags, while trying to connect with PHP \SoapClient(...) and after 3 days I finally found a solution that worked for me.
GitBash
$ cd path/to/certificate/
$ openssl pkcs12 -in personal_certificate.pfx -out public_key.pem -clcerts
First you have to enter YOUR_CERT_PASSWORD once, then DIFFERENT_PASSWORD! twice. The latter will possibly be available to everyone with access to code.
PHP
$wsdlUrl = "https://example.com/service.svc?singlewsdl";
$publicKey = "rel/path/to/certificate/public_key.pem";
$password = "DIFFERENT_PASSWORD!";
$params = [
'local_cert' => $publicKey,
'passphrase' => $password,
'trace' => 1,
'exceptions' => 0
];
$soapClient = new \SoapClient($wsdlUrl, $params);
var_dump($soapClient->__getFunctions());
s3c
- 1,481
- 19
- 28
