Rootctl

Windows

List


Converts PEM to a PKCS#12/PFX file


https://theitbros.com/convert-crt-to-pem/

o Microsoft windows servers use .pfx files
o Apache servers use .crt .cer



On Windows, there are several ways to convert an SSL certificate file from one format to another.

1-With built-in Certificate Export Wizard;
2-Using the PSPKI PowerShell module;
3-With openssl ports for Windows.



Use the Certificate Export Wizard to Change CRT File Format:
----------------------------------------------------------------
1. Run the File Explorer, locate and double-click your .cer file;

2. In the certificate properties window go to the Details tab and click on the “Copy to File” button;

3. Press Next on the first step of Certificate Export Wizard;
4. Now you need to select the certificate export format. Select the option “BASE-64 encoded X.509 (.CER)” and click Next;

5. Specify the file name;

6. Press the Finish button;

7. Now you can change your certificate file extension from .cer to .pem. You can use the following PowerShell command:
rename-item C:\PS\new_cert.cer c:\ps\new_cert.pem
8. Ensure that the file format is Base64:
cat c:\ps\new_cert.pem

Convert SSL Certificates on Windows using PowerShell
Several built-in PowerShell cmdlets are available to export installed certificates from the local cert store to various file formats. To export a certificate, you need to specify its FriendlyName or Thumbprint:
Export Cert to PFX:
$mycert= cert:\LocalMachine\my\15DA70574DDE43177B6F6F6F00BF44231A1CF07E

$mypwd = ConvertTo-SecureString -String "123456" -Force -AsPlainText

$mycert | Export-PfxCertificate -FilePath C:\ps\mypfx.pfx -Password $mypwd
Export Cert to CER:
$mycert | Export-Certificate -Type cer -FilePath c:\ps\mypfx.cer -Force
Export Cert to P7B:
$mycert |Export-Certificate -Type p7b -FilePath c:\ps\mypfx.p7b -Force
Export Cert to SST (as CER):
$mycert | Export-Certificate -Type SST -FilePath c:\ps\mypfx.sst -Force
To manage and convert SSL certificates on Windows, you can use the PSPKI (PowerShell PKI Module) module. You can install PSPKI from PSGallery:
Install-Module -Name PSPKI
After installation, you need to import the module into the session:
Import-Module PSPKI
There are two cmdlets available in the PSPKI module to change the certificate file format:
 Convert-PemToPfx
 Convert-PfxToPem

You can get information about the certificate file:
Show-Certificate -Certificate "C:\PS\Certs\server1-der.cer"|fl

To convert a PFX certificate to PEM format, run the command:
Convert-PfxToPem -InputFile "C:\PS\Certs\server1.cer” -OutputFile ‘"C:\PS\Certs\server1.pem"
If you try to convert a DER certificate to PEM in this way, an error will appear:
Input file is not valid PKCS#12/PFX file


Convert SSL Certificates on Windows using PowerShell
--------------------------------------------------------------
$mycert= cert:\LocalMachine\my\15DA70574DDE43177B6F6F6F00BF44231A1CF07E

$mypwd = ConvertTo-SecureString -String "123456" -Force -AsPlainText

$mycert | Export-PfxCertificate -FilePath C:\ps\mypfx.pfx -Password $mypwd
Export Cert to CER:
$mycert | Export-Certificate -Type cer -FilePath c:\ps\mypfx.cer -Force
Export Cert to P7B:
$mycert |Export-Certificate -Type p7b -FilePath c:\ps\mypfx.p7b -Force
Export Cert to SST (as CER):
$mycert | Export-Certificate -Type SST -FilePath c:\ps\mypfx.sst -Force
To manage and convert SSL certificates on Windows, you can use the PSPKI (PowerShell PKI Module) module. You can install PSPKI from PSGallery:
Install-Module -Name PSPKI
After installation, you need to import the module into the session:
Import-Module PSPKI
There are two cmdlets available in the PSPKI module to change the certificate file format:
 Convert-PemToPfx
 Convert-PfxToPem

You can get information about the certificate file:
Show-Certificate -Certificate "C:\PS\Certs\server1-der.cer"|fl

To convert a PFX certificate to PEM format, run the command:
Convert-PfxToPem -InputFile "C:\PS\Certs\server1.cer” -OutputFile ‘"C:\PS\Certs\server1.pem"
If you try to convert a DER certificate to PEM in this way, an error will appear:
Input file is not valid PKCS#12/PFX file


Converting SSL Certificate Format Using OpenSSL for Windows:-------------------------------------------------------------------------
In case your crt file is in binary format, you can convert it using the OpenSSL utility for Windows (in this case we used the open SSL port gnuwin32, version 0.9.8h).
Download the archive with OpenSSL binaries (openssl-0.9.8h-1-bin.zip) and extract it to a local folder (for example C:\OpenSSL). Copy your .crt file to the same directory. Open the command prompt as an administrator and change the folder:
cd C:\OpenSSL\bin
If the crt file is in binary format, then run the following command to convert it to PEM format:
Openssl.exe x509 -inform DER -outform PEM -in my_certificate.crt -out my_certificate.crt.pem
Change certificate file names to your own. This command helps you to convert a DER certificate file (.crt, .cer, .der) to PEM.
Note. When you are converting your certificate’s files to different formats using OpenSSL, your certificate’s private data is secured, since it’s never stored by the OpenSSL during the file conversion.
After executing the command, the new file my_certificate.crt.pem should appear in the same folder. Open it and make sure it is encoded in Base64. This certificate can now be imported to your web server or anywhere you want.

If you run the openssl.exe tool and receive an error Unable to load config info from /usr/local/ssl/openssl.cnf, you need to set up a new Windows environment variable using the following command:
Set OPENSSL_CONF=C:\openssl\share\openssl.cnf

Then re-run your Command prompt window and try to execute a command to convert your certificate file from the CRT to PEM file format.
Convert CRT SSL Certificate to PEM Format on Linux
-------------------------------------------------------------
Let’s look at how to convert CRT/DER certificate file to the PEM format on Linux. First, you need to install the OpenSSL package.
On RedHat/CentOS/Fedora you can install OpenSSL as follows:
yum install openssl
Note. In this case the openssl-1:1.1.1c-2.el8.x86_64 package is already installed.

On Debian/Ubuntu distros, you can install this package using the APT:
apt-get install openssl
To convert your CER file to PEM format using OpenSSL, run the following command:
openssl x509 -inform der -in /home/tstcert.cer -out /home/tstcert.pem
tstcert.cer — source certificate file;
tstcert.pem — target pem file.

Some more examples of using OpenSSL to convert various certificate file formats:
 PEM to DER: openssl x509 -outform der -in certificate.pem -out certificate.der
 PKCS#12 with private key to PEM: openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
 PEM and private key files to PKCS#12: openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
 PEM to DER: openssl x509 -outform der -in certificate.pem -out certificate.der
 PEM to PKCS#7 (.p7b, .p7c): openssl crl2pkcs7 -nocrl -certfile certificate.pem -out certificate.p7b -certfile CAcert.cer
 PEM to PFX: openssl pkcs12 -export -out site.pfx -inkey site.key -in site.crt -certfile site.ca-bundle (you will be prompted to set the password for the key).
 DER to PEM: openssl x509 -inform der -in site.der -out site.crt
 P7B to PEM: openssl pkcs7 -print_certs -in site.p7b -out site.cer
 P7B to PFX: openssl pkcs7 -print_certs -in site.p7b -out certificate.ceropenssl pkcs12 -export -in site.cer -inkey site.key -out site.pfx -certfile site.ca-bundle
 PFX to PEM: openssl pkcs12 -in site.pfx -out site.crt -nodes
Using Openssl-ToolKit to Convert CRT Certificate File
If you are uncomfortable with the OpenSSL command line, you can use the OpenSSL ToolKit script to convert the certificates. OpenSSL ToolKit script is a simple wrapper tool for OpenSSL CLI to help automate common certificate management tasks. When using this script, certificates and keys are processed directly on the host and are not transferred anywhere.
1. Run the following command to install the OpenSSL ToolKit script on Linux:
2. echo https://github.com/tdharris/openssl-toolkit/releases/download/1.1.0/openssl-toolkit-1.1.0.zip \
3.
| xargs wget -qO- -O tmp.zip && unzip -o tmp.zip && rm tmp.zip && ./openssl-toolkit/openssl-toolkit.sh
4. To convert certificate file select 2 > Enter.

5. Select the type of conversion (4. DER to PEM).

6. Enter the name of the certificate file: /root/cert.cer.
7. Specify the name of the file to convert to and press Enter.
8. The script will convert the certificate file.


repadmin /syncall DC-CALIFORNIA /A /a /d /e /P
--------------------------------------------------------------------------------------------------------------------------

Converts PEM to a PKCS#12/PFX file


Converts PEM (Privacy Enhanced Mail) certificate with embedded private key to a PKCS#12/PFX file:
-------------------------------------------------------------------------------------------------
PEM files are Base64-encoded files with PKCS#1 or PKCS#8 private key material.
Windows natively does not support PKCS#1 and PKCS8 private key formats and this command allows you to perform such conversion.
The command supports external private key files (when certificate and associated private key are stored in separate files).
Depending on parameters, the command can: save PFX to a file, install PFX to certificate store or combine both operations by
installing the certificate-to-certificate store and saving certificate to PFX file.

PEM file must be encoded in Base64 encoding and should have the following contents.
PEM file must contain digital certificate at minimum and the contents is:

-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----



Alternatively, PEM file may contain private key or it must be stored in separate file. Private Key must be either PKCS#1 or PKCS#8.
The following example illustrates PKCS#1 private key headers:

-----BEGIN RSA PRIVATE KEY-----
Base64-encoded PKCS#1 private key
-----END RSA PRIVATE KEY-----



The following example illustrates PKCS#8 private key headers:

-----BEGIN PRIVATE KEY-----
Base64-encoded PKCS#8 private key
-----END PRIVATE KEY-----



Any external information outside cryptographic headers is silently ignored.

------------------------------------------------------------------------------------------------------------------------------------------
Certificate Conversion




GnuWin32

https://getgnuwin32.sourceforge.net/


Run the following command to export the private key: openssl pkcs12 -in star_rootctl_com_2021_rekey.pfx -nocerts -out star_rootctl_com_2021_rekey_password.key -nodes
Run the following command to export the certificate: openssl pkcs12 -in star_rootctl_com_2021_rekey.pfx -nokeys -out star_rootctl_com_2021_rekey.crt
Run the following command to remove the passphrase from the private key: openssl rsa -in star_rootctl_com_2021_rekey_password.key -out star_rootctl_com_2021_rekey.key



---------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------

How to convert certificates into different formats
------------------------------------------------------------------------------------------

Different servers and control panels may require SSL certificates in different file formats.
In order to convert the certificates from one format to another, you can use OpenSSL package generally available on Linux machines.

In fact the certificates we provide are issued in x.509 format which is the version of ASN.1
file encoding standard. In this article we will talk about the file formats which differ based on encoding rules.
On the whole, we can differentiate the following certificate file formats:


PEM is a base64 encoded certificate placed between the headers:
------------------------------------------------------------------------------------------
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
It is the most widespread certificate format, which is mostly used by Linux-based servers, like Apache, Nginx,
and by the majority of webhosting control panels (cPanel, Plesk, DirectAdmin, WebMin, etc.).
PEM certificates may have the following file extensions: *.pem, *.crt, *.cer. Comodo CA (now Sectigo CA) sends out their certificates in PEM,
if any server type except ‘Microsoft Internet Information Server’ (Microsoft IIS) is chosen during the certificate activation.


PKCS#7 is another certificate with Base64 encoding that is used generally by Windows and Java-based Tomcat servers,
------------------------------------------------------------------------------------------
and may contain domain end-entity certificate and CA chain certificates. If you open a PKCS#7 file in a text editor,
you can see the encoded text between
-----BEGIN PKCS7----- and -----END PKCS7----- tags
. The most common extensions are: *.p7b, *.p7s, *.cer. The certificate in PKCS#7 format can be retrieved from Comodo CA (now Sectigo CA),
if you choose ‘Microsoft Internet Information Server’ as a server type during the certificate activation.


PKCS#12/PFX is a file in binary format that contains the certificate with a corresponding private key and is protected by a password.
------------------------------------------------------------------------------------------
Optionally, the file can include the CA chain certificates as well. Usually, PFX certificates are used on Windows machines,
and are essential for transferring the certificate from one Windows server to another. The file extensions are: *.p12 and *.pfx.


DER formatted certificates - can have .der extension, but are often .cer, so the only way to tell if the certificate is
------------------------------------------------------------------------------------------
PEM or DER is to open the certificate in a text editor and look for the BEGIN CERTIFICATE and END CERTIFICATE sections
(if they are there then the .cer is in PEM format).

Note: If you are converting a certificate for IEEE 802.1x network authentication,
the client certificate requires a private key - see How do I get a PEM certificate from Windows
for IEEE 802.1x Network Authentication? (1341) for conversion details.

Converting the certificate

1. Open the certificate in a text editor and look for the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines
2. If the certificate has these lines, then it is in pem format already
3. Simply change the file extension from .cer to .pem.
If the certificate does not contain BEGIN/END lines, then the certificate is in DER format.


There are multiple options for converting a certificate to pem format.

Windows:
-------------------------------------------------------------------
1. Right click the certificate and select Install Certificate
2. Select Current User and click Next.
3. Select Place all certificates in the following store.
4. Click Browse and Personal and click OK.
5. Click Next.
6. Click Finish.
7. Select start and run certmgr.msc (Windows key + R to get the prompt)
8. Expand Personal and select Certificates.
9. Select the certificate you just imported.
10. Right Click and select All Tasks \u2192 Export.
11. Select Base-64 encoded X.509 (.cer) and click Next.
12. Click Browse and select a location and give it a file name.
13. Click Finish.
14. Locate the file you just exported and change the file extension from .cer to .pem.


Linux/Openssl



Install openssl on your machine. This can also be installed on a Windows machine if required.

Run the following command substituting the file names where appropriate to convert from der format to pem.

============================================================================================================================================
How to convert files from CRT to CER:



How to convert files from CRT to CER:
------------------------------------
Because CER and CRT files are basically synonymous, they can be used interchangeably by simply changing the extension.
So, in case your server requires you to use the .CER file extension,
You can convert to .CRT extension easily by implementing the following steps:

1. Double-click on the yourwebsite.crt file to open it into the certificate display.
2. Click on the details tab, and then select the copy to file button.
3. Click next in the certificate wizard.
4. Choose base-64 encoded x.509 (.cer), and then click on next.
5. Now, browse to store your file and type in the filename that you want to keep
6. Finally, save the file.
#############################################################################################################################

PLEASE NOTE: When converting a PFX file to a PEM file, all certificates and the private key are integrated into a single file.
It will be necessary to separate the different parts of the file into separate files. to do this, here is the method:

1. Open the file in a text editor
2. Copy all certificates and private key including lines (begin/end) into separate files
3. Save the files in the following

Formats: certificate.cer, cacert.cer and privatekey.key.





.