How to convert certificates into different formats using OpenSSL

Different servers and control panels may require SSL certificates in different file formats. In order to convert the certificates from one format to another, you can use OpenSSL package generally available on Linux machines.

In fact the certificates we provide are issued in x.509 format which is the version of ASN.1 file encoding standard. In this article we will talk about the file formats which differ based on encoding rules.

On the whole, we can differentiate the following certificate file formats:

1) PEM is a base64 encoded certificate placed between the headers -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. It is the most widespread certificate format, which is mostly used by Linux-based servers, like Apache, Nginx, and by the majority of webhosting control panels (cPanel, Plesk, DirectAdmin, WebMin, etc.). PEM certificates may have the following file extensions: *.pem, *.crt, *.cer. Comodo CA (now Sectigo CA) sends out their certificates in PEM, if any server type except ‘Microsoft Internet Information Server’ (Microsoft IIS) is chosen during the certificate activation.


2) PKCS#7 is another certificate with Base64 encoding that is used generally by Windows and Java-based Tomcat servers, and may contain domain end-entity certificate and CA chain certificates. If you open a PKCS#7 file in a text editor, you can see the encoded text between -----BEGIN PKCS7----- and -----END PKCS7----- tags. The most common extensions are: *.p7b, *.p7s, *.cer. The certificate in PKCS#7 format can be retrieved from Comodo CA (now Sectigo CA), if you choose ‘Microsoft Internet Information Server’ as a server type during the certificate activation.


3) PKCS#12/PFX is a file in binary format that contains the certificate with a corresponding private key and is protected by a password. Optionally, the file can include the CA chain certificates as well. Usually, PFX certificates are used on Windows machines, and are essential for transferring the certificate from one Windows server to another. The file extensions are: *.p12 and *.pfx.

To convert the certificates into different formats, you can use the following commands:

From PEM to PKCS#7:

openssl crl2pkcs7 -nocrl -certfile your_pem_certificate.crt -out your_pkcs7_certificate.p7b -certfile CA-bundle.crt

From PKCS#7 to PEM:

openssl pkcs7 -print_certs -in your_pkcs7_certificate.p7b -out your_pem_certificates.pem

Note: If PKCS#7 file included the chain certificates, the newly generated .pem file would include them as well, separately.

From PEM to PFX:

openssl pkcs12 -export -out your_pfx_certificate.pfx -inkey your_private.key -in your_pem_certificate.crt -certfile CA-bundle.crt

You will be also prompted to specify the password for the PFX file. Make sure you remember the password, it will be used when you need to import the PFX to a new server.

From PFX to PEM:

openssl pkcs12 -in your_pfx_certificate.pfx -out your_pem_certificates_and_key.pem -nodes

You will be asked to specify the password that was used when creating the PFX file you are converting. The obtained PEM file will contain the certificate, chain certificates (optionally) and the private key.

From PKCS#7 to PFX:

To convert a certificate from PKCS#7 to PFX, the certificate should be first converted into PEM:

openssl pkcs7 -print_certs -in your_pkcs7_certificate.p7b -out your_pem_certificates.pem

After that, the certificate can be converted into PFX.

openssl pkcs12 -export -out your_pfx_certificate.pfx -inkey your_private.key -in your_pem_certificate.crt

Alternatively, the certificates can be converted using this online tool.

Updated
Viewed
62301 times

Need help? We're always here for you.

notmyip