Quality TLS/SSL certificates for websites and internet projects.



Export certificate to PFX

Instructions for exporting the private key, certificate, including intermediate certificates of the certification authority from the PEM (X.509) format to the PFX format, which is suitable for installation on a Windows server with IIS (Internet Information Server).

Export using OpenSSL

To work with certificates, you need to have the OpenSSL library installed. See the OpenSSL for Windows and Mac OSX page for instructions and download links.

Preparation of certificate

We will need certificate and private key files for export. Save everything in 3 files - private key (.key), public key (.pem) and one file will be with intermediate keys from CA (.pem). For export, it does not matter whether the files have the extension .PEM or .TXT and the designation depends on your choice. In terms of orientation, the private key should be named .KEY.

  • private key file (saved during generation in Control Panel or OpenSSL)
  • certificate file from a certification authority (certified public key)
  • file with intermediate certificates of the certification authority

The files contain certificates in PEM format. The keys start and end on -----BEGIN CERTIFICATE----- a -----END CERTIFICATE-----, the private key -----BEGIN PRIVATE KEY----- a -----END PRIVATE KEY-----.

Export PEM to PFX (PKCS#12)

For export in OpenSSL we will use the command pkcs12 with set parameters:

openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem -certfile cabundle.pem

Or, for example, if we have key-files in TXT format:

pkcs12 -export -out cert.pfx -inkey key.txt -in cert.txt -certfile ca.txt

After startup, you will be required to enter a password + confirmation (min. 4 characters), the certificate is then exported to the cert.pfx file.
If the files are not located in the directory in use, you must specify a path. Certificate files can also have a .txt extension, as shown in the figure.

OpenSSL - export certifikátu do PFX

Check the .pfx key file

After exporting, we recommend checking the .pfx file to see if all certificates have been inserted correctly.

openssl pkcs12 -info -nodes -in cert.pfx

Potential export errors

Error opening input file key/cert.txt
 key/cert.txt: No such file or directory

Check the path and file names of the keys.

Unable to load certificate
Check the correct PEM certificate format and content starting with -----BEGIN CERTIFICATE-----.

Working with keys in PFX

To export an encrypted private key from .pfx, use the command: openssl pkcs12 -in cert.pfx -nocerts -out key-crypt.key
Password for encryption must be min. 4 characters long.

Private key decryption: openssl rsa -in key-crypt.key -out key.key

Export certificate (public key) to .crt format: openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.crt

Certificate export to PFX without private key

Certificate export to PFX without private key: openssl pkcs12 -export -out cert.pfx -nokeys -in certificate.pem

Certificate export to PFX without private key with CA intermediate certificates: openssl pkcs12 -export -out cert.pfx -nokeys -in certificate.pem -certfile cabundle.pem

Certificate conversion between different formats

With OpenSSL, various conversions between formats can be performed using the following commands.

Convert PEM → DER
openssl> x509 -outform der -in certificate.pem -out certificate.der
Convert PEM → P7B
openssl> crl2pkcs7 -nocrl -certfile certificate.pem -out certificate.p7b -certfile cacert.pem
Convert DER → PEM
openssl> x509 -inform der -in certificate.cer -out certificate.pem
Convert P7B → PEM
openssl> pkcs7 -print_certs -in certificate.p7b -out certificate.pem
Convert P7B → PFX
openssl> pkcs7 -print_certs -in certificate.p7b -out certificate.pem
openssl> pkcs12 -export -in certificate.pem -inkey privateKey.key -out certificate.pfx -certfile cacert.pem
Convert PFX → PEM
openssl> pkcs12 -in certificate.pfx -out certificate.pem -nodes

Back to Help
Found an error or don't understand something? Write us!

CA Sectigo
CA Thawte
CA GeoTrust
CA DigiCert
CA Certum