How can I create a PEM file from an SSL certificate?
These are the files that I have available:
.crtserver.csrserver.key
Asked
Active
Viewed 1.5M times
781
sdgfsdh
- 33,689
- 26
- 132
- 245
Sergio Rodriguez
- 8,258
- 3
- 18
- 25
-
4Other way round: [Convert `.pem` to `.crt` and `.key`](https://stackoverflow.com/q/13732826/55075). – kenorb May 17 '19 at 11:07
-
The same question has some slightly different answers you may find useful: https://stackoverflow.com/questions/4691699/how-to-convert-crt-to-pem/ – NeilG Mar 20 '23 at 21:32
12 Answers
1024
Your keys may already be in PEM format, but just named with .crt or .key.
If the file's content begins with -----BEGIN and you can read it in a text editor:
The file uses base64, which is readable in ASCII, not binary format. The certificate is already in PEM format. Just change the extension to .pem.
If the file is in binary:
For the server.crt, you would use
openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem
For server.key, use openssl rsa in place of openssl x509.
The server.key is likely your private key, and the .crt file is the returned, signed, x509 certificate.
If this is for a Web server and you cannot specify loading a separate private and public key:
You may need to concatenate the two files. For this use:
cat server.crt server.key > server.includesprivatekey.pem
I would recommend naming files with "includesprivatekey" to help you manage the permissions you keep with this file.
Stevoisiak
- 23,794
- 27
- 122
- 225
maxwellb
- 13,366
- 2
- 25
- 35
-
2Check the format of the server.key. I only assumed it was RSA. But reading the first line of the file will probably tell you that. – maxwellb Jun 13 '09 at 23:32
-
15Just a heads up that `cat server.crt server.key > server.pem` won't place the open comment on its own line, which seems to be a requirement. Courier mail gave me hell and it took me hours to figure out what was going wrong. – Graham Walters Feb 12 '14 at 01:36
-
1Thanks Graham. Different tools will generate the files differently, and ultimately, some verification is good. When I performed these steps, the files ended with a newline, for example. – maxwellb Feb 19 '14 at 15:25
-
1The tip about concatenating the .crt and .key files together was very helpful. I wanted to use my certificate with stunnel3, but it didn't have a way to specify the key file. Using the concatenation worked. (Actually, since stunnel3 is a Perl program, I added an option to it myself for reading the key file. However, since I saw later the concatenation worked, I've reverted stunnel3 to its original code.) – Mr. Lance E Sloan Jun 25 '14 at 17:31
-
6Just a bump to say that cat ```server.crt server.key > server.includesprivatekey.pem``` is useful for SSL with haproxy 1.5. – jimm101 Sep 18 '14 at 17:49
-
This is not totally true, for example AWS console do not recognise my files as pem format also if they begin with *-----BEGIN* The right answer that worked for me was @slf answer, below. – Diego D Jun 30 '16 at 10:51
-
1Hi, I've generated self-sign certs with command **openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout a.key -out a.crt** Both a.key and a.crt have -----BEGIN at the start does that mean they are both in a PEM format? – sebastian_t Jul 31 '20 at 17:38
-
-
where is this code supposed to go? openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem In the command line?? Because I get an error – Normajean May 22 '21 at 05:47
-
Yes, the command line. If you have specific questions to resolve your error, I encourage you to open a question on the relevant site. My guess though is that you don't have openssl installed, so follow directions for your operating system to get the openssl program. – maxwellb May 25 '21 at 16:05
270
I needed to do this for an AWS ELB. After getting beaten up by the dialog many times, finally this is what worked for me:
openssl rsa -in server.key -text > private.pem
openssl x509 -inform PEM -in server.crt > public.pem
Thanks NCZ
Edit: As @floatingrock says
With AWS, don't forget to prepend the filename with file://. So it'll look like:
aws iam upload-server-certificate --server-certificate-name blah --certificate-body file://path/to/server.crt --private-key file://path/to/private.key --path /cloudfront/static/
http://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html
slf
- 22,595
- 11
- 77
- 101
-
21With AWS, don't forget to prepend the filename with `file://`. So it'll look like: `aws iam upload-server-certificate --server-certificate-name blah --certificate-body file://~/Desktop/server.crt --private-key file://~/Desktop/private.key --path /cloudfront/static/` – FloatingRock Nov 06 '14 at 04:03
-
1The second command does nothing if your input is a pem file so assuming it is, you only need the first command – Kristofer Jan 19 '15 at 11:48
-
Awesome! This is worked well for me! Just converted my .key and .crt files to .pem using your lines of code and then I uploaded (copy/paste) via AWS console. Thanks! – Diego D Jun 30 '16 at 10:52
108
A pem file contains the certificate and the private key. It depends on the format your certificate/key are in, but probably it's as simple as this:
cat server.crt server.key > server.pem
sth
- 222,467
- 53
- 283
- 367
-
11watchout for missing newlines our your pem file might have garbled lines like -----END CERTIFICATE----------BEGIN CERTIFICATE----- – Wolfgang Fahl Jan 05 '16 at 16:27
34
Additionally, if you don't want it to ask for a passphrase, then need to run the following command:
openssl rsa -in server.key -out server.key
-
16If you want a file starting with `-----BEGIN RSA PRIVATE KEY-----` and have one that starts with `-----BEGIN ENCRYPTED PRIVATE KEY-----`, this is the command you want to use. – Philippe Gerber Feb 16 '13 at 12:50
-
1This is also what you use to get the key into a mysql compatible format. – Matthew Lenz Feb 11 '22 at 16:05
11
All of the files (*.crt, server.csr, server.key) may already be in PEM format, what to do next with these files depends on how you want to use them, or what tool is using them and in which format it requires.
I'll go a bit further here to explain what are the different formats used to store cryptography materials and how to recognise them as well as convert one to/from another.
Standards
| Standards | Content format | File encoding | Possible content |
|---|---|---|---|
| X509 | X | Certificates | |
| PKCS#1 | X | RSA keys (public/private) | |
| PKCS#7 | X | Certificates, CRLs | |
| PKCS#8 | X | Private keys, encrypted private keys | |
| PKCS#12 | X | Certificates, CRLs, private keys | |
| JKS | X | Certificates, private keys | |
| PEM | X | ||
| DER | X |
Common combinations
| Content \ Encoding | PEM (*) | DER (**) | Binary |
|---|---|---|---|
| X509 | X | X | |
| PKCS#1 | X | X | |
| PKCS#7 (***) | X | X | |
| PKCS#8 | X | X | |
| PKCS#12 (***) | X | ||
| JKS (***) | X |
This is a gist explains the same thing + commands for conversion/verification/inspection.
In conclusion, typical steps to work with cryptography/PKI materials:
- Understand which format they are in (use verification/inspection commands)
- Understand which format they are required (read doc)
- Use conversion commands to convert the files
- Optional: use verification/inspection commands to verify converted files
maximus
- 1,290
- 1
- 14
- 18
9
I was trying to go from godaddy to app engine. What did the trick was using this line:
openssl req -new -newkey rsa:2048 -nodes -keyout name.unencrypted.priv.key -out name.csr
Exactly as is, but replacing name with my domain name (not that it really even mattered)
And I answered all the questions pertaining to common name / organization as www.name.com
Then I opened the csr, copied it, pasted it in go daddy, then downloaded it, unzipped it, navigated to the unzipped folder with the terminal and entered:
cat otherfilegodaddygivesyou.crt gd_bundle-g2-g1.crt > name.crt
Then I used these instructions from Trouble with Google Apps Custom Domain SSL, which were:
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem
exactly as is, except instead of privateKey.key I used name.unencrypted.priv.key, and instead of www_mydomain_com.crt, I used name.crt
Then I uploaded the public.pem to the admin console for the "PEM encoded X.509 certificate", and uploaded the private.pem for the "Unencrypted PEM encoded RSA private key"..
.. And that finally worked.
Community
- 1
- 1
-
(godaddy) this worked for me. 1st- downloaded the certificate after using the first line for server type "Apache". Then I used the public.pem and private.pem for the ssl_certificate and ssl_certificate_key respectively in nginx.conf :) – Rick Penabella Nov 23 '20 at 20:33
5
What I have observed is: if you use openssl to generate certificates, it captures both the text part and the base64 certificate part in the crt file. The strict pem format says (wiki definition) that the file should start and end with BEGIN and END.
.pem – (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
So for some libraries (I encountered this in java) that expect strict pem format, the generated crt would fail the validation as an 'invalid pem format'.
Even if you copy or grep the lines with BEGIN/END CERTIFICATE, and paste it in a cert.pem file, it should work.
Here is what I do, not very clean, but works for me, basically it filters the text starting from BEGIN line:
grep -A 1000 BEGIN cert.crt > cert.pem
adityalad
- 161
- 2
- 4
-
1another option is simply to pass the non-strict certificate through `openssl x509`. It will output a valid PEM certificate: `cat certificate.crt | openssl x509 > certificate.pem` – T0xicCode Jul 17 '13 at 15:47
-
If you want to get everything from "BEGIN" to the end of the file, that's a job for sed. Specifically, you want something like `sed -n '/--BEGIN/,$p' cert.crt` in this case. To explain that: the "-n" tells sed to not print anything by default, and then the range expression `/--BEGIN/,$` makes the `p` command (print) apply to lines between the first line which contains `--BEGIN` and the end of the file (`$`). – dannysauer Apr 24 '17 at 17:13
5
On Windows, you can use the certutil tool:
certutil -encode server.crt cert.pem
certutil -encode server.key key.pem
You can combine both files to one in PowerShell like this:
Get-Content cert.pem, key.pem | Set-Content cert-and-key.pem
And in CMD like this:
copy cert.pem+key.pem cert-and-key.pem /b
stackprotector
- 10,498
- 4
- 35
- 64
-
1It is excellent to see people still contributing to this question after all these years. OP – Sergio Rodriguez Apr 23 '22 at 11:47
4
- Download certificate from provisional portal by appleId,
- Export certificate from Key chain and give name (Certificates.p12),
- Open terminal and goto folder where you save above Certificates.p12 file,
Run below commands:
a)
openssl pkcs12 -in Certificates.p12 -out CertificateName.pem -nodes,b)
openssl pkcs12 -in Certificates.p12 -out pushcert.pem -nodes -clcerts- Your .pem file ready "pushcert.pem".
Ashvin
- 8,227
- 3
- 36
- 53
4
Trying to upload a GoDaddy certificate to AWS I failed several times, but in the end it was pretty simple. No need to convert anything to .pem. You just have to be sure to include the GoDaddy bundle certificate in the chain parameter, e.g.
aws iam upload-server-certificate
--server-certificate-name mycert
--certificate-body file://try2/40271b1b25236fd1.crt
--private-key file://server.key
--path /cloudfront/production/
--certificate-chain file://try2/gdig2_bundle.crt
And to delete your previous failed upload you can do
aws iam delete-server-certificate --server-certificate-name mypreviouscert
skensell
- 1,421
- 12
- 21
-
This did not work for me `An error occurred (MalformedCertificate) when calling the UploadServerCertificate operation: Unable to parse certificate. Please ensure the certificate is in PEM format.` – Adam Raudonis Sep 01 '18 at 20:19
1
- Open terminal.
- Go to the folder where your certificate is located.
- Execute below command by replacing name with your certificate.
openssl pkcs12 -in YOUR_CERTIFICATE.p12 -out YOUR_CERTIFICATE.pem -nodes -clcerts
- Hope it will work!!
Dhaval H. Nena
- 3,992
- 1
- 37
- 50