🔒 Certificate conversion with openssl

Also certificate signing requests and certificate export

I bought a wildcard certificate for use with multiple servers and subdomains. The file was a PKCS#7 certificate file (p7b). I needed different formats with and without separate key files (pem, pfx, and crt).

All of this happened on a Windows 10 machine.

The private key is stored on the machine that created the certificate signing request (csr).

To create the request I used certreq on windows with this inf file:

;----------------- request.inf -----------------

Signature="$Windows NT§"


Subject = "CN=*.example.com,O=Example Company,OU=IT,ST=Schleswig-Holstein,L=Town,C=DE"
KeyLength =  4096
Exportable = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
HashAlgorithm = SHA256
MachineKeySet = True
SMIME = False
UseExistingKeySet = False
RequestType = PKCS10
KeyUsage = 0xa0
Silent = True
FriendlyName = "Example Company Certificate 2022"



[Extensions] = "{text}"
_continue_ = "dns=example.com&"


OID=, by the way, means {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) kp(3) serverAuth(1)} is {joint-iso-itu-t(2) ds(5) certificateExtension(29) subjectAltName(17)}

certreq.exe -new csr.inf csr256.req

I installed the certificate that I received from my CA on the machine that’s got the private key – the machine that created the csr. It was installed on the local computer. From there on I was able to export the certificate as a pfx (Personal Information Exchange), also with the certificate management in Microsoft Management Console. The export was done including the private key, which was needed for the other machines. This is also the step where the password for the key in the pfx is chosen.

From now on I used openssl to convert the pem to various different files.

Export of the key of a pfx to a pem:

openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes

Export of the certificate of a pfx to a pem:

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem

Export of the certificate and the certificate chain of a pfx to a pem:

openssl pkcs12 -in cert.pfx -cacerts -nokeys -chain -out cert.pem

Export of all certificates in the pfx to a pem:

openssl pkcs12 -in cert.pfx -out cert.pem -nodes

If a pem is needed that includes the key, the key (from -----BEGIN PRIVATE KEY-----MIIJQw...) can just be inserted above the -----BEGIN CERTIFICATE----- of the cert.pem. If the file contains headers, such as Bag Attributes local key... it should be inserted above that.

Openssl can also be used to get a crt from the pem:

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.crt