Convert PFX to PEM with Key INCLUDING INTERMEDIATE certificates

opensslsslssl-certificate

I have a PFX that I want to convert to a CRT and Key or PEM and Key to install on an NGINX endpoint. When I import the pfx to my cert store on my windows machine it creates the certificate, the intermediate chain, and the root CA.

If I take that PFX and run the following openssl commands I and bind it to the endpoint, I don't get all the certificates in the chain:

openssl pkcs12 -in ./GoDaddy.pfx -clcerts -nokeys -out pcc.crt -nodes -nokeys

openssl pkcs12 -in ./GoDaddy.pfx -nocerts -nodes -out pcc.rsa -nodes -nokeys

Is there a switch or command I can run to convert the PFX to a crt / rsa or pem /key with all of the certificates up the chain to the root CA?

Best Answer

Since you want everything, you just need to reduce the number of restrictions you are asking for.

so:

openssl pkcs12 -in ./GoDaddy.pfx -out ./GoDaddy.pem

If you read the documentation you will see what you are asking for:

-nocerts

No certificates at all will be output.

-clcerts

Only output client certificates (not CA certificates).

-nokeys

No private keys will be output.

-nodes

Don't encrypt the private keys at all.

Related Solutions

How to get .pem file from .key and .crt files

Your keys may already be in PEM format, but just named with .crt or .key.

If the file's content begins with -----BEGIN and you can read it in a text editor:

The file uses base64, which is readable in ASCII, not binary format. The certificate is already in PEM format. Just change the extension to .pem.

If the file is in binary:

For the server.crt, you would use

openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem

For server.key, use openssl rsa in place of openssl x509.

The server.key is likely your private key, and the .crt file is the returned, signed, x509 certificate.

If this is for a Web server and you cannot specify loading a separate private and public key:

You may need to concatenate the two files. For this use:

cat server.crt server.key > server.includesprivatekey.pem

I would recommend naming files with "includesprivatekey" to help you manage the permissions you keep with this file.

Windows – How to create .pfx file from certificate and private key

You will need to use openssl.

openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt

The key file is just a text file with your private key in it.

If you have a root CA and intermediate certs, then include them as well using multiple -in params

openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt -in intermediate.crt -in rootca.crt

You can install openssl from here: openssl

Best Answer

Related Solutions

How to get .pem file from .key and .crt files

Windows – How to create .pfx file from certificate and private key

Related Topic