Converting Certificates using OpenSSL

Certificates are an integral part of every IT infrastructure and service since they can be used to encrypt data, secure the communications, verify identities and provide trust. In this article I'm going to demonstrate a number of conversions you may have to perform in order to prepare a certificate to be imported to a system. Before moving on to the actual part about the conversion, a few words about the certificates and their file extensions.

There are two different kinds of encoding for an X509 certificate, DER and PEM. DER encoded files are binary in contrast to PEM which are Base64 encoded and human readable.

File Extensions
The most commonly used file extensions for certificate and key files are:
  • .crt - Used for certificates in DER or PEM format.
  • .cer - Also used for certificates, alternative to crt
  • .key - Used for private key files
  • .pfx - Used for certificate and private key bundles. Used different format from the others (pkcs12)
When it comes to certificate conversions, OpenSSL is the tool to use. Since the pkcs format is most probably the format you are going to receive your certificate, we'll start with that.

To export the certificate without the private key to PEM format use the command:
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.cer

To export the certificate chain in PEM format:
openssl pkcs12 -in certificate.pfx -cacerts -nokeys -chain -out chain.cer

To export the private key use:
openssl pkcs12 -in certificate.pfx -nocerts -out privatekey.key

During the private key export, you'll be asked for a passphrase to protect the key. To remove the passphrase use:
openssl rsa -in privatekey.key -out key.key

The last conversion would be to convert the pkcs file to pem without splitting it into multiple files:
openssl pkcs12 -in certificate.pfx -out certificate.pem

If the private key must not be encrypted in the PEM file, add the "-nodes" parameter.

That's pretty much it when converting from pkcs, let's move on to DER.

To convert a certificate file from PEM to DER use the command:
openssl x509 -outform der -in certificate.pem -out certificate.der

The other way around would be:
openssl x509 -inform der -in certificate.cer -out certificate.pem

If you created the certificate signing request yourself and have the certificate and private key in separate files, you can bind them together in a pkcs file using the command:
openssl pkcs12 -export -in certificate.cer –inkey privateKey.key -out certificate.pfx

You can get copies of the OpenSSL binaries for Windows from here.

I hope you find the information and commands useful!

Popular posts from this blog

IIS Client Certificate Revocation Check Disable

How to Configure Message Forwarding on a Mailbox Level

Syslog Message Collection for OMS from sources that do not support the agent