I've seen a couple questions about how to convert a PFX to a cert file, but I need to go the other way.
I have two files:
bob_cert.cert
bob_key.pem
I'd like to convert them to a single .pfx file. Is there a tool that does this?
Asked
Active
Viewed 4.1e+01k times
213
-
20http://serverfault.com/a/9717/3202 is a great explanation about cert file formats, just fyi – Rory Mar 03 '14 at 17:35
4 Answers
398
openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx
Francis
- 9,720
- 2
- 29
- 37
-
8
-
-
2Could you point me in the direction of these examples? I can't seem to find anything. – Nick Jun 22 '10 at 18:52
-
10Windows version of OpenSSL is available at http://www.slproweb.com/products/Win32OpenSSL.html. Just tried it, and it worked properly for this purpose. – BrianFinkel Sep 30 '11 at 17:55
-
2Great list of common OpenSSL commands at https://www.sslshopper.com/article-most-common-openssl-commands.html – Rory Mar 03 '14 at 17:28
-
One thing for creating PFX files for Microsoft's Authenticode `signtool`: use some password for the exported key (or e.g. `.p12` certificate + key file). Somehow an empty password doesn't work. (or maybe it should then be `signtool /p "" ...` - or something along those lines. Besides, when exporting in Windows' "Internet Options" the password is required. – Tomasz Gandor Apr 09 '14 at 09:04
-
1where to run this command in window? I try it on command prompt but not working their – Vijay Singh Rana Jul 30 '14 at 10:22
-
maybe correct key file name wouldn't be `bob_key.pem` but `bob_key.key` – Jan Papež - honyczek Aug 21 '15 at 12:43
-
5A couple of additions: `-name "friendly name"` sets the name (which would appear in certificate list in Windows, for example), and `-certfile cacert.pem` can be used to add the CA certificate(s) and produce the `.pfx` file with the whole chain. – pvgoran Sep 12 '17 at 15:44
-
Hmmm... I needed to reverse `-inkey` and `-in` parameters to make this work. `-inkey` for the private key and `-in` for the `.pem`. – Rick Strahl Feb 05 '20 at 23:09
-
@RickStrahl: the .pem extension is used for lots of things, including both keys _and_ certs, but _in this Q_ key.pem is the key and cert.cert is the cert, so it is actually doing the same as you and both are correct. – dave_thompson_085 Apr 16 '20 at 09:27
-
@ataraxia: the gnuwin32 openssl is _way_ obsolete; slproweb as already suggested above is up to date, and also follows Windows packaging conventions correctly making it easier to use. – dave_thompson_085 Apr 16 '20 at 09:28
-
I'm very disappointed that this has 387 up votes and it's entirely UNHELPFUL to anyone who doesn't realize you need to install OpenSSL for this to work. A proper answer should include context and information, not just a copy/paste of some command with no instructions or details. – BrianVPS Apr 13 '21 at 15:16
-
it is asking for export password .. is it absolutely necessary to give any password ? – strudel Apr 16 '21 at 05:30
27
Here is how to do this on Windows without third-party tools:
Import certificate to the certificate store. In Windows Explorer select "Install Certificate" in context menu.
Follow the wizard and accept default options "Local User" and "Automatically".
Find your certificate in certificate store. On Windows 10 run the "Manage User Certificates" MMC. On Windows 2013 the MMC is called "Certificates". On Windows 10 by default your certificate should be under "Personal"->"Certificates" node.
Export Certificate. In context menu select "Export..." menu:
Select "Yes, export the private key":
You will see that .PFX option is enabled in this case:
Specify password for private key.
Rory McCrossan
- 306,214
- 37
- 269
- 303
IT Hit WebDAV
- 5,041
- 12
- 50
- 88
-
12In step 2, my certificate don't "Personal"->"Certificates". It appears in "Other People"->"Certificates", and when exporting, the "Personal Information Exchange (PFX)" appears disabled. Do you know how to enable it? – Gabrielizalo Aug 21 '16 at 09:46
-
I fixed with the portable certificate converter from DigiCert: https://www.digicert.com/util/pfx-certificate-management-utility-import-export-instructions.htm – Gabrielizalo Aug 21 '16 at 10:38
-
21
-
1You need to rename .pem to .cer first in order for Windows to recognize the file as a certificate/private key file. Both file extensions may contain cert(s) and/or key(s) in either ASCII-armored plaintext or Base64/DER encoded binary format, but you can use cer files with Windows built-in utilities. – Mastacheata Aug 11 '17 at 23:17
-
10OP's question was how to import it when the private key is not included in the certificate file but you got two files: a crt and a pem (pem containing the private key). This answer doesn't work in that case. – omni Jan 15 '18 at 21:14
-
The elephant in the room here, as already pointed out, windows won't recognize pem files and (as was also pointed out) renaming it to crt won't solve the problem OP had, BTW, you didn't mention anywhere in your answer you're supposed to rename the .pem file. – Ezequiel Barbosa Aug 23 '20 at 02:08
-
Downvote reason: Answer is totally wrong and doesn't address the question in any way. – NickG Feb 12 '21 at 10:24
23
I created .pfx file from .key and .pem files.
Like this openssl pkcs12 -inkey rootCA.key -in rootCA.pem -export -out rootCA.pfx
That's not the direct answer but still maybe it helps out someone else.
Siim Nelis
- 542
- 4
- 9
5
If you have a self-signed certificate generated by makecert.exe on a Windows machine, you will get two files: cert.pvk and cert.cer. These can be converted to a pfx using pvk2pfx
pvk2pfx is found in the same location as makecert (e.g. C:\Program Files (x86)\Windows Kits\10\bin\x86 or similar)
pvk2pfx -pvk cert.pvk -spc cert.cer -pfx cert.pfx
StackzOfZtuff
- 1,671
- 18
- 19
EBlake
- 657
- 7
- 14