/
How to create PEM certificates using PFX or CER

How to create PEM certificates using PFX or CER

Owned by Mark Zuk
Feb 07, 2025
2 min read

Prerequisites

  1. Exported Certificate in PFX format: The certificate file (e.g., yourpfxfile.pfx) containing the public key, private key, and intermediate certificates.

  2. PFX Certificate Password: Ensure you have the password required for creating the PEM files from the exported certificate.

If you have a certificate in .cer format, please see second part of the guide first.

Workflow

To generate a PEM certificate, utilize third-party software or install OpenSSL (freely available) and convert your PFX certificate to PEM format.

If employing OpenSSL, follow these steps:

Creating the correct certificate format (Using OpenSSL):

  1. Launch a Command Prompt as Administrator and navigate to the directory where OpenSSL is installed, for example, c:\program files\OpenSSL-Win64\bin\

  2. Execute the command below to extract the private key and save it to a new file:

openssl pkcs12 -in yourpfxfile.pfx -nocerts -out client-key.pem -nodes

(You'll be prompted for the PFX password, if applicable)

If there's a PEM Password/Phrase, follow these steps instead of the previous one:

Extract the private key to a temporary file:

openssl pkcs12 -in yourpfxfile.pfx -nocerts -out client-key-temp.pem

(You'll be prompted for both the PFX password and the PEM password)

Convert the temporary private key file to the desired format:

openssl rsa -in client-key-temp.pem -out client-key.pem

(You'll be asked for the PFX password if there is one)

If there's now PEM Password/Phrase, continue here:

  1. Now, to extract the public certificate and save it to a new file, run the following command:

openssl pkcs12 -in yourpfxfile.pfx -nokeys -out client-cert.pem -nodes

(You'll be prompted for the PFX password if there is one)

If You have a .CER certificate, follow these steps to convert it to a .pfx format

Steps to Convert .cer to .pfx using OpenSSL:

  1. Prepare the Required Files:

    • Certificate: You should have a .cer or .crt file (e.g., certificate.cer).

    • Private Key: You need the corresponding private key file (e.g., private.key).

  2. Convert the Certificate and Key to .pfx:

    • Launch a Command Prompt as Administrator and navigate to the directory where OpenSSL is installed, for example, c:\program files\OpenSSL-Win64\bin\

    • Run the following command:

      openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.cer

      Explanation:

      • -export: Creates a .pfx file.

      • -out certificate.pfx: Specifies the output file.

      • -inkey private.key: Specifies the private key file.

      • -in certificate.cer: Specifies the certificate file.

  3. Set a Password:

    • The command will prompt you to set a password for the .pfx file. This password is required when importing the .pfx file later.

  4. Verify the .pfx File:

    • Once created, you can verify the contents of the .pfx file using the following command:

      openssl pkcs12 -info -in certificate.pfx

    • Enter the password when prompted, and you should see details of the certificate and private key.

If you don't have the private key, you cannot create a .pfx file because the .pfx format requires both the certificate and the private key.

After successfully converting .cer to .pfx, you can proceed with the steps outlined in the first part of this guide.

 

Related content