If you have a Microsoft IIS website or you know someone who does, you should know that IIS uses a pkcs12 format for their certificates and private keys. These are binary encoded files with .pfx or .p12 extension and have a private key and certs encoded together in the file. If you are wanting to convert your IIS website to an apache website, you will need to covert these pkcs12 files to the PEM format that apache uses. Openssl is the tool you need to use for this.
To extract the cert and private key from a pkcs12 file, to be output into a PEM style file. You will be prompted for the password if a password was used on the input file, and a password to encrypt the private key. If you don’t want to encrypt the private key, use the -nodes option.
$ openssl pkcs12 -in cert.pfx -out cert.pem
Openssl will extract the cert and private key to stdout by default. This often enough if you looking to merely copy and paste and ASCII formatted output.
$ openssl pkcs12 -in cert.pfx
To create a pkcs12 style file from your already existing cert and private key. The pkcs12 format associates a name with contents of the file. Use the -name option to set the name. If you are converting your private key and cert from your apache server to the pkcs12 format, it expects the file you import to be in PEM format. You will be prompted to set a password.
$ sudo openssl pkcs12 -export -out cert.pfx -in server.pem -name "My Cert"
However, you can import private key and web cert separately using the -inkey and -in options. Use -in to specify the file that contains your cert, and -inkey to specify the file that contains your key.
$ openssl pkcs12 -export -out cert.pfx -inkey server.key -in server.crt -name "My Cert"
Openssl is the most useful and most versatile tool for dealing with crypto issues. It is your crypto Swiss army knife. Look for many future posts demonstrating openssl performing other tasks.