SyntaxFix

[openssl] Converting pfx to pem using openssl

How to generate a .pem CA certificate and client certificate from a PFX file using OpenSSL.

This question is related to openssl pem pfx

The answer is

You can use the OpenSSL Command line tool. The following commands should do the trick

openssl pkcs12 -in client_ssl.pfx -out client_ssl.pem -clcerts

openssl pkcs12 -in client_ssl.pfx -out root.pem -cacerts

If you want your file to be password protected etc, then there are additional options.

You can read the entire documentation here.

Another perspective for doing it on Linux... here is how to do it so that the resulting single file contains the decrypted private key so that something like HAProxy can use it without prompting you for passphrase.

openssl pkcs12 -in file.pfx -out file.pem -nodes

Then you can configure HAProxy to use the file.pem file.

This is an EDIT from previous version where I had these multiple steps until I realized the -nodes option just simply bypasses the private key encryption. But I'm leaving it here as it may just help with teaching.

openssl pkcs12 -in file.pfx -out file.nokey.pem -nokeys
openssl pkcs12 -in file.pfx -out file.withkey.pem
openssl rsa -in file.withkey.pem -out file.key
cat file.nokey.pem file.key > file.combo.pem
  1. The 1st step prompts you for the password to open the PFX.
  2. The 2nd step prompts you for that plus also to make up a passphrase for the key.
  3. The 3rd step prompts you to enter the passphrase you just made up to store decrypted.
  4. The 4th puts it all together into 1 file.

Then you can configure HAProxy to use the file.combo.pem file.

The reason why you need 2 separate steps where you indicate a file with the key and another without the key, is because if you have a file which has both the encrypted and decrypted key, something like HAProxy still prompts you to type in the passphrase when it uses it.

Despite that the other answers are correct and thoroughly explained, I found some difficulties understanding them. Here is the method I used (Taken from here):

First case: To convert a PFX file to a PEM file that contains both the certificate and private key:

openssl pkcs12 -in filename.pfx -out cert.pem -nodes

Second case: To convert a PFX file to separate public and private key PEM files:

Extracts the private key form a PFX to a PEM file:

openssl pkcs12 -in filename.pfx -nocerts -out key.pem

Exports the certificate (includes the public key only):

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

Removes the password (paraphrase) from the extracted private key (optional):

openssl rsa -in key.pem -out server.key

Source: Stackoverflow.com

Examples related to openssl

dyld: Library not loaded: /usr/local/opt/openssl/lib/libssl.1.0.0.dylib How to install OpenSSL in windows 10? SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443 How to fix: fatal error: openssl/opensslv.h: No such file or directory in RedHat 7 Homebrew refusing to link OpenSSL Solving sslv3 alert handshake failure when trying to use a client certificate How to install latest version of openssl Mac OS X El Capitan How to resolve the "EVP_DecryptFInal_ex: bad decrypt" during file decryption SSL error SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Can't get private key with openssl (no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY)

Examples related to pem

Connect over ssh using a .pem file Node.js https pem error: routines:PEM_read_bio:no start line Generate .pem file used to set up Apple Push Notifications Differences between "BEGIN RSA PRIVATE KEY" and "BEGIN PRIVATE KEY" How to save public key from a certificate in .pem format Converting pfx to pem using openssl How to read .pem file to get private and public key scp (secure copy) to ec2 instance without password How to convert .crt to .pem Convert PEM to PPK file format

Examples related to pfx

Converting pfx to pem using openssl Cannot import the keyfile 'blah.pfx' - error 'The keyfile may be password protected' Convert .pfx to .cer

Tags

Oas Soft-hyphen Minesweeper Qstandarditemmodel Mach-o Game-development Multiple-choice Terminfo Scikits Fasta Jquery-forms-plugin Predicates Resource-leak Google-instant-previews Cancel-button Google-books Matcher Intersect Resin Phpmyid Unlink Bass.dll Panels Scope Shared-addin Ihttpasynchandler Jtoolbar Scaletransform Treemap Non-lazy-ptr Asa Params Attached-properties Description-logic Hamachi All-files Msitransform Ssms Start-process Adjacency-matrix Stretched Minidumpwritedump Barcode Custom-draw Static-compilation Mdsd Powershell-remoting Labels Click-tracking Liferay-6 Code-completion Crm Cakephp-1.3 Plug-and-play Notnull Macos Ireport Xmlencoder Datacontracts Variable-caching Tscrollbox Colormatrixfilter Menubar Android-alarms Intense-debate Qt-creator Mediaelement.js Ixmldomnode Cfpdf Timestamping Visual-modeler Elasticlayout Kxml Application-shutdown Device-detection Geotiff Cfimage Asp.net-mvc-validation Jquery-post Url-pattern Gwt Flash-scope Gerrit Storekit Strict Nsdate Fetched-property Cmp Iso8601 Nspopupbuttoncell Google-friend-connect First-chance-exception Uitextfield Python-2to3 Hardcode External-process Pdu Narwhal Static-reflection Undo-redo