Squoggle

How to convert a PEM certificate to PFX or P12 format.

The PFX or PKCS12 format is a binary format that stores a server certificate, any intermediate certificates, along with the private key into a single encrypted file. PFX files typically have the .pfx and .p12 extensions. PFX files are typically used on Windows machines and macOS machines to import and export certificates and private keys. Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores. The JKS format is Java’s standard “Java KeyStore” format, and is the format created by the keytool command-line utility. The PKCS12 format is an internet standard, and can be created with OpenSSL.

What you’ll need:

• You will need the private key that was used to create the public key and certificate.
• You will need the certificate in PEM format, typically with file extension of .crt, .pem or .cer.
• You will need Openssl.

Lets take a look at the Openssl command you would use to convert the PEM cert to PFX:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile chain.crt

Lets break down the different parts of the command to see what they do:

openssl – This starts the openssl software.

pkcs12 – This tells openssl to use PKCS#12 Data Management.

-export -out certificate.pfx – This tells openssl to export out a PFX file named certificate.pfx.

-inkey privateKey.key – This tells openssl to import the private key from a file named privateKey.key.

-in certificate.crt – This tells openssl to import the certificate from a file named certificate.crt.

-certfile chain.crt – This tells openssl to include any additional certificates contained in chain.crt you want to include in the PFX file. Typically this would be any Intermediate Certs that chain your cert to a root cert.

After you enter this command you will be prompted for a password that protects the PFX file. Without the password the PFX file is useless so do not forget it.

The end result of this command will be that you have a new file named certificate.pfx which contains your Private Key, the Certificate and any Intermediate certs you added as well, all wrapped into a binary format and protected by a password.