SSL Certificate Conversion Guide
Introduction
SSL certificates are used to secure communications between clients and servers. However, different systems require certificates in specific formats. This guide will help you convert SSL certificates into different formats using OpenSSL and other methods. Here's a breakdown of the most commonly used certificate formats and their conversions.
Common Certificate Formats
- PEM (.pem, .crt, .cer): Base64 encoded certificate with "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
- PKCS#7 (.p7b, .p7s): Commonly used by Windows and Java-based systems, containing certificates and CA chains without private keys.
- PKCS#12/PFX (.p12, .pfx): Binary format containing both the certificate and the private key, typically used by Windows servers.
- DER (.der, .cer): Binary encoded certificate, usually for Java platforms. Requires conversion to PEM for human readability.
Converting Certificates
The conversion of certificates between formats can be done using OpenSSL. Here's how you can convert between various formats:
Convert DER to PEM
openssl x509 -inform der -in certificate.der -out certificate.pem
Convert PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem -certfile CA.pem
Convert PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
Note: Ensure that your certificate and private key are properly linked before converting them into PFX format.
Windows Certificate Conversion (PEM)
Follow these steps to convert a certificate on a Windows machine:
- Right-click the certificate and select Install Certificate.
- Select Current User and click Next.
- Choose Place all certificates in the following store and click Browse.
- Select Personal and click OK.
- Complete the installation process by clicking Next and Finish.
- Open the certmgr.msc tool by pressing Win + R and typing
certmgr.msc
.
- Locate the certificate under Personal → Certificates, right-click it, and select All Tasks → Export.
- Choose Base-64 encoded X.509 (.cer) and save the file.
- Change the file extension from
.cer
to .pem
.
Linux Certificate Conversion (PEM)
On Linux, you can use OpenSSL to handle conversions. Below are a few common conversion commands:
Install OpenSSL (if not already installed)
sudo apt install openssl
Convert DER to PEM
openssl x509 -inform der -in certificate.der -out certificate.pem
Convert PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem -certfile CA.pem
X.509 Certificate Extensions
Certificates are often identified by their extensions. Here's a list of common extensions and what they signify:
- .pem: Base64 encoded certificate, enclosed between "BEGIN CERTIFICATE" and "END CERTIFICATE".
- .cer, .crt: May be either in PEM or DER format. Often used interchangeably with .pem.
- .pfx, .p12: Binary format containing both the certificate and private key, commonly used in Windows environments.
- .p7b, .p7c: PKCS#7 formatted files used mainly in Java or Windows environments.
Additional Notes
When working with certificates, remember the following:
- PEM: Most commonly used format for certificates.
- PFX/PKCS#12: Ideal for Windows servers as it includes both the certificate and the private key.
- PKCS#7: Suitable for systems that do not require the private key to be stored with the certificate.