How to Convert Certificate Format Using OpenSSL

OpenSSL is an open-source library and a command-line tool that helps admins and developers perform various cryptographic tasks, such as generating key pairs, certificate signing requests (CSR), verifying certificates, encrypting and decrypting data, identifying certificate information, verifying file integrity and much more. In this post, you will learn how to convert TLS certificates into different formats with OpenSSL.

Installation

OpenSSL package comes pre-installed with macOS and most Linux distributions. In Windows, you can download the suitable version from here. If you have Git installed, the OpenSSL certificate must already be stored in the installation directory.

Using OpenSSL

To start using OpenSSL, open a command prompt or terminal and run the openssl version command.

Viewing the OpenSSL version

When you run the openssl command without any options, it displays a list of commands supported by the OpenSSL tool. These commands are categorized into Standard, Message Digest, and Cipher commands.

Viewing the list of commands supported by the OpenSSL tool

You can use the openssl help <command> or openssl <command> -help to display any command’s help menu. For instance, the below command prints the genrsa command help menu.

openssl genrsa -help

Getting help with the OpenSSL tool

Generate a certificate

Let’s first create a certificate with OpenSSL.

openssl req -x509 -newkey rsa:2048 -keyout private.pem -out certificate.pem -days 365 -noenc

Creating a self-signed certificate with OpenSSL tool

We used the OpenSSL tool’s req (request) command to generate a self-signed certificate valid for 365 days. The -newkey option generates a new RSA key pair with a key size of 2048 bits (default). The -keyout option specifies the file to write the private key, and the -out option specifies the file to write the certificate. The -noenc (no encryption) or -nodes (no data encryption standard) option is used to avoid encrypting the private key for the sake of simplicity. After running this command, you get private.pem and certificate.pem files containing the private key and certificate, respectively.

Convert PEM format

The discussion on certificate format conversion is next in line. Essentially, certificate formats serve as containers that allow for different encoding methods for certificate data.

PEM (Privacy Enhanced Mail) functions as a container where certificates and keys are stored in a Base64 encoded format, and the associated files may have a range of extensions, including .pem, .crt, and .key. It’s a text format that can be viewed using a text editor, and it’s primarily used by Linux, macOS, Apache, and Nginx servers. The self-signed certificate from the previous section is also in PEM format, which we will soon convert into many other formats.

The command to convert a PEM certificate into the PKCS#12 or PFX format is provided below:

openssl pkcs12 -export -out certificate.pfx -inkey private.pem -in certificate.pem

Convert a PEM certificate and private key to a PFX file

Here, we used the pkcs12 command of the OpenSSL tool. The -export option lets you export the private key and certificate to a PKCS#12 or PFX file. As shown in the illustration above, you can specify a password to secure the private key during export, which will be needed when importing the PFX file. The -inkey option specifies the private key, and the -in option specifies the PEM or CRT certificate file. You can use the -in option multiple times to specify the intermediate or root certificate authority (CA) certificates. Furthermore, if you want to export the certificate without the private key, use the -nokeys option.

To convert a PEM certificate to PKCS#7 or P7B format, use the following command:

openssl crl2pkcs7 -nocrl -certfile certificate.pem -out certificate.p7b

Convert a PEM certficate to a P7B file

We used the crl2pkcs7 command with -nocrl option to avoid including the certificate revocation list (CRL) in the output P7B file. The -certfile option specifies the PEM file and optional CA certificate. The -out option specifies the output P7B certificate file.

To convert a PEM certificate to DER format, use this command:

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PEM certificate to a DER file

Here, we used the x509 command of the OpenSSL tool and the -outform option to specify the output certificate format (i.e., der). The -in option specifies the input PEM file, and the -out option specifies the output DER file.

Convert PKCS#12 (PFX) format

The PKCS#12 (Public Key Cryptography Standard Number 12) is a binary format for storing a certificate and private key in a password-protected container, which usually has a .pfx or .p12 file extension.

To convert a PKCS#12 (or PFX) certificate to PEM format, use the following command:

openssl pkcs12 -in certificate.pfx -out cert.pem

Convert a PFX file to a PEM file

Here, we utilized the pkcs12 command together with the -in option to designate the input PFX file and the -out option to indicate the output PEM file. Because the output PEM file also includes a private key, you will be asked to establish a passphrase. You may use the -noenc or -nodes option to avoid encrypting the private key. In addition, if you wish to export the private key and certificate to separate files, you may utilize the following commands instead:

# Export client certificate(s) only
openssl pkcs12 -in certificate.pfx -out cert.pem -clcerts -nokeys
# Export private key only
openssl pkcs12 -in certificate.pfx -out key.pem -nocerts -noenc

Convert PKCS#7 (P7B) format

The PKCS#7 (Public Key Cryptography Standard Number 7) format is similar to PKCS#12 but does not contain private key material. It has a .p7b or .p7c file extension, and it is commonly used by Windows and Java.

To convert a P7B certificate to PEM format, use this command:

openssl pkcs7 -print_certs -in certificate.p7b -out cert.pem

Convert a P7B certificate to a PEM file

Here, we used the pkcs7 command with the -print_certs option to print the certificates contained within the P7B file. The -in and -out options specify the input P7B and output PEM files, respectively.

Converting a P7B certificate to PFX format necessitates having a private key, as P7B files lack one. Yet, the PFX file typically contains both the private key and certificate. Thus, we initially transform the P7B certificate into a CER format, then use the CER file and private key to export a PFX file with these commands:

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey private.pem -out certificate.pfx -certfile ca_cert.cer

Convert a P7B file to a PFX file

Convert DER format

The DER (Distinguished Encoding Rules) is essentially a binary encoded container for storing certificates and private keys. Since it is not a text format, you cannot simply open it in a text editor. It has a .der file extension and is typically used by Windows and Java-based applications.

To convert a DER certificate to PEM format, use the following command:

openssl x509 -inform der -in certificate.der -out certificate.pem

Convert a DER certificate to a PEM file

Here, we used the x509 command with the -inform option, which specifies the input certificate format as DER. As usual, the -in and -out options specify the input DER and output PEM files, respectively. Once you convert your certificate into a PEM format, you can combine it with the private key to export a PFX file.

Subscribe to 4sysops newsletter!

Conclusion

As you have seen, OpenSSL is a powerful tool that admins should learn because it helps in certificate format conversion, which is crucial to facilitating seamless interoperability and secure communication across different operating system environments. It has quite a lot of options that you can explore and experiment with. Remember to check the help section of OpenSSL to learn more.

Posted

March 5, 2024

Articles, Encryption, Security

Tags: