How to Convert PFX to Crt/PEM & Key Files
Introduction
What is PFX
A PFX (Personal Information Exchange) file is a format used to store a combination of a private key, a public key, and the corresponding digital certificate. It is also known as a PKCS #12 file. These files are used primarily for securing and transferring digital certificates and their associated private keys.
PFX files are often used in scenarios where both the certificate and the private key need to be exported or imported together. For instance, when installing SSL/TLS certificates on web servers, the PFX file can be used to easily import both the certificate and its associated private key onto the server, simplifying the setup process.
PFX files are password-protected to ensure security. Users typically set a password during the creation of the PFX file, which is required to access the private key and the certificate stored within it.
What are crt and key files?
.crt and .key files are file extensions used for storing specific components related to SSL/TLS certificates and their corresponding private keys.
1 .crt (Certificate file):
The .crt file, also known as a certificate file, contains the public portion of an SSL/TLS certificate. It contains information about the certificate’s owner, the certificate’s validity period, the digital signature of the certificate authority (CA) that issued it, and the public key. This file is often used to install SSL/TLS certificates on web servers or other applications requiring secure communication.
2 .key (Private Key file):
The .key file holds the private key corresponding to the certificate file’s public key (.crt). This private key is essential for decrypting data that has been encrypted using the public key associated with the certificate. The private key should be kept confidential and securely stored, as it is a critical component in establishing secure connections and encrypting sensitive information.
Let’s now see How to Convert PFX to Crt/PEM & Key Files
Prerequisites:
- Download OpenSSL from Here
- Keep ready the certificate PFX file which was exported (with password) from Windows Certificate or IIS or from Azure Platform etc..
- Install Open SSL (usually installed in C:\Program Files\OpenSSL-Win64\)
Steps to Convert PFX to .Crt/PEM & .Key Files
- Open Command Prompt as Administrator (right-click on Command Prompt and select Run as Administrator)
- Switch to OpenSSL path i.e. C:\Program Files\OpenSSL-Win64\
- Verify that the Command Prompt path should be like below
4. Copy the PFX certificate files for ex:- certificate.pfx (please replace it with your actual file name) into the “C:\Program Files\OpenSSL-Win64\bin” folder (else you can mention the absolute path of the file)
5. After copying the SSL files into the Bin folder. Run the below commands in the command prompt to export the private key file:
openssl pkcs12 -in certificate.pfx -nocerts -out certificate.keyIt will prompt for the pfx file password to import the certificate. Then it will ask to provide the new password for key file, provide the new password twice and press enter, there will be no error thrown which means it has successfully exported the key file
6. Now enter the next command as mentioned below to export .cer file from PFX:
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes Again it will prompt for the password of pfx file but there is no new password is required to be entered. If export is successful then there will be no error or message.
7. The last command is to convert the private key file to be used without the password which may be the requirement in some scenarios like in Nginx or Apache, please replace the certificate.key file name with your actual filename which was created on Step 5.
openssl rsa -in certificate.key -out certificate_pvt.keyIt will prompt for the password that you have created in Step 5 while exporting the private key file from PFX.
Now, check the location “C:\Program Files\OpenSSL-Win64\bin” or if you have used the absolute path for Crt and Key files.
You have Successfully converted the PFX to CRT and Key files that you can use in Apache or Linux or wherever it is required.
Conclusion
It is quite simple to convert get the CRT and key files from PFX certificate. It can be done through online portal like SSL shopper. However, I would not suggest it as your own certificate would be uploaded on third party server which could be the complaince issue. Rather go for the Offline conversion as mentioned above. If you like this article you can share it further.
