Convert a PFX file to a PEM file
Bold indicates a button clicked or key pressed.
“quotes” indicates a value which has been entered.
Grey block quote is a command typed directly into the console.
Purpose
The following steps allow you to convert a PFX certificate file in Windows Server to a PEM file. This is important since most Linux/Unix systems prefer a PEM format for certificate use, especially something like an Apache web server.
- Download and install the Win32 OpenSSL (v0.9.8i) package from http://www.slproweb.com/products/Win32OpenSSL.html
- Create the folder C:\certs and copy your exported PFX certificate file inot the C:\certs folder. The name yourcert.pfx is used in this example.
- Go to Start, then click Run and type in “cmd” and press enter. This should bring up a command prompt which you can use to change into the OpenSSL bin directory.
- cd %homedrive%\OpenSSL\bin
- openssl pkcs12 -in C:\certs\yourcert.pfx -out c:\certs\newcertname.pem -nodes
- This should convert the file from a PFX format to a PEM format, feel free to substitute your own name instead of “newcertname.pem”. Also be sure this command is entered as one line, regardless of how it appears on this site. When prompted, enter the password you used when exporting the PFX file from the Windows certificate store. You should then receive the message “MAC verified OK”.
- Open “newcertname.pem” in notepad, and cut out the private key into C:\OpenSSL\bin\private\privatekey.pem (or another path and name as you see fit).
- Also cut out the CA Certificate into C:\OpenSSL\bin\cacert.pem
- Modify c:\OpenSSL\bin\openssl.cfg configuration file and change the [alt_names] to whichever alternative names you wish.
- Create a new request, by typing the following commands.
- openssl req -new -nodes -keyout privatekey.pem -out cert-request.pem
- openssl ca -out issued-cert -in cert-request.pem
- This should have created a new request and signed it with the CA’s private key. Keep in mind the path to these certificate files are not included here so make sure you are in the proper directory (i.e. the same directory) for those files.
- If you get errors during this procedure, clear the index.txt and serial files within the OpenSSL directory to be sure it is working with a fresh batch. Below is the configuration file for OpenSSL and is to be used as reference. Not all of the configuration is the same, so be sure to double check names of certificates and paths.