Convert .pem and .pub to .pfx file

opensslpempfxrsa

I have a .pem file and a .pub file, I used following commands to create them

openssl genrsa -out temp.pem 1024
openssl rsa -in temp.pem -pubout -out temp.pub

Now I want to make them to a one .pfx file which is binary and contains both private and public key. Is it possible? how? (I have tested som openssl commands but the file was empty).

I used this command

 openssl pkcs12 -export -in temp.pem -inkey temp.pub -out temp.pfx -name "Temp Certificate"

it generates this error:

unable to load private key
17880:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_li
b.c:703:Expecting: ANY PRIVATE KEY

Best Answer

You get the error because, for the -inkey argument, you have to specify a private key; not a public key.

OpenSSL's pkcs12 command doesn't provide a way to consolidate public and private keys into a single file. It is specifically used to consolidate certificates and private keys into a single file. In the above case, what you have is a public key, not a certificate.

From the man page:

-in filename The filename to read certificates and private keys from, standard input by default. They must all be in PEM format. The order doesn't matter but one private key and its corresponding certificate should be present. If additional certificates are present they will also be included in the PKCS#12 file.

Note that it specifically mentions that one private key and its corresponding certificate should be present. The command that I typically use to generate a PKCS#12 file is:

openssl pkcs12 -export -in cert.pem -inkey private.key -out file.pfx -name "My Certificate"

Related Solutions

How to get .pem file from .key and .crt files

Your keys may already be in PEM format, but just named with .crt or .key.

If the file's content begins with -----BEGIN and you can read it in a text editor:

The file uses base64, which is readable in ASCII, not binary format. The certificate is already in PEM format. Just change the extension to .pem.

If the file is in binary:

For the server.crt, you would use

openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem

For server.key, use openssl rsa in place of openssl x509.

The server.key is likely your private key, and the .crt file is the returned, signed, x509 certificate.

If this is for a Web server and you cannot specify loading a separate private and public key:

You may need to concatenate the two files. For this use:

cat server.crt server.key > server.includesprivatekey.pem

I would recommend naming files with "includesprivatekey" to help you manage the permissions you keep with this file.

Convert a .PEM certificate to .PFX programmatically using OpenSSL

You could use BouncyCastle (assuming C#, because you mentioned .NET).

Let's say localhost.pem here contains both the certificate and the private key, something like this should work:

using System;
using System.Collections;
using System.Linq;
using System.Text;
using System.IO;

using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.OpenSsl;
using Org.BouncyCastle.Pkcs;
using Org.BouncyCastle.X509;
using Org.BouncyCastle.Security;

namespace TestApplication
{
    class Program
    {
        static void Main(string[] args)
        {
            StreamReader sr = File.OpenText("localhost.pem");
            IPasswordFinder passwordFinder = new PasswordStore("testtest".ToCharArray());
            PemReader pemReader = new PemReader(sr, passwordFinder);


            Pkcs12Store store = new Pkcs12StoreBuilder().Build();
            X509CertificateEntry[] chain = new X509CertificateEntry[1];
            AsymmetricCipherKeyPair privKey = null;

            object o;
            while ((o = pemReader.ReadObject()) != null)
            {
                if (o is X509Certificate)
                {
                    chain[0] = new X509CertificateEntry((X509Certificate)o);
                }
                else if (o is AsymmetricCipherKeyPair)
                {
                    privKey = (AsymmetricCipherKeyPair)o;
                }
            }

            store.SetKeyEntry("test", new AsymmetricKeyEntry(privKey.Private), chain);
            FileStream p12file = File.Create("localhost.p12");
            store.Save(p12file, "testtest".ToCharArray(), new SecureRandom());
            p12file.Close();
        }
    }

    class PasswordStore : IPasswordFinder
    {
        private char[] password;

        public PasswordStore(
                    char[] password)
        {
            this.password = password;
        }

        public char[] GetPassword()
        {
            return (char[])password.Clone();
        }

    }
}

You'll probably need something a bit more subtle for the IPasswordFinder and if you want to handle certificate chains correctly. For more advanced features, you may be able to find more details in the BouncyCastle examples.

Best Answer

Related Solutions

How to get .pem file from .key and .crt files

Convert a .PEM certificate to .PFX programmatically using OpenSSL

Related Topic