OpenSSL – How to convert SSL Certificates to various formats – PEM CRT CER PFX P12 & more How to use the OpenSSL tool to convert a SSL certificate and private key on various formats (PEM, CRT, CER, PFX, P12, P7B, P7C extensions & more) on Windows and Linux platforms

Certificati SSL - Standard, formati ed estensioni principali: PEM, CER, CRT, DER, P7B, PFX, P12

In this post, part of our “how to manage SSL certificates on Windows and Linux systems” series, we’ll show how to convert an SSL certificate into the most common formats defined on X.509 standards: the PEM format and the PKCS#12 format, also known as PFX. The conversion process will be accomplished through the use of OpenSSL, a free tool available for Linux and Windows platforms.

Before entering the console commands of OpenSSL we recommend taking a look to our overview of X.509 standard and most popular SSL Certificates file formatsCER, CRT, PEM, DER, P7B, PFX, P12 and so on.

Installing OpenSSL

The first thing to do is to make sure your system has OpenSSL installed: this is a tool that provides an open source implementation of SSL and TLS protocols and that can be used to convert the certificate files into the most popular X.509 v3 based formats.

OpenSSL on Linux

If you’re using Linux, you can install OpenSSL with the following YUM console command:

If your distribution is based on APT instead of YUM, you can use the following command instead:

OpenSSL on Windows

If you’re using Windows, you can install one of the many OpenSSL open-source implementations: the one we can recommend is Win32 OpenSSL by Shining Light Production, available as a light or full version, both compiled in x86 (32-bit) and x64 (64-bit) modes . You can install any of these versions, as long as your system support them.

IMPORTANT: OpenSSL for Windows requires the Visual C++ 2008 Redistributables runtime in order to work.

OpenSSL is basically a console application, meaning that we’ll use it from the command-line: after the installation process completes, it’s important to check that the installation folder (C:\Program Files\OpenSSL-Win64\bin for the 64-bit version) has been added to the system PATH (Control Panel > System> Advanced > Environment Variables): if it’s not the case, we strongly recommend to manually add it, so that you can avoid typing the complete path of the executable everytime you’ll need to launch the tool.

Once OpenSSL will be installed, we’ll be able to use it to convert our SSL Certificates in various formats.

From PEM (pem, cer, crt) to PKCS#12 (p12, pfx)

This is the console command that we can use to convert a  PEM certificate file (.pem, .cer or .crt extensions), together with its private key (.key extension), in a single PKCS#12 file (.p12 and .pfx extensions):

If you also have an intermediate certificates file (for example, CAcert.crt) , you can add it to the “bundle” using the -certfile command parameter in the following way:

From PKCS#12 to PEM

If you need to “extract” a PEM certificate (.pem, .cer or .crt) and/or its private key (.key)from a single PKCS#12 file (.p12 or .pfx), you need to issue two commands.

The first one is to extract the certificate:

And a second one would be to retrieve the private key:

IMPORTANT: the private key obtained with the above command will be in encrypted format: to convert it in RSA format, you’ll need to input a third command:

Needless to say, since PKCS#12 is a password-protected format, in order to execute all the above commands you’ll be prompted for the password that has been used when creating the .pfx file.

From DER (.der, cer) to PEM

From PEM to DER

From PEM to PKCS#7 (.p7b, .p7c)

From PKCS#7 to PEM

From PKCS#7 to PFX

Online SSL Converters

If you can’t (or don’t want to) install OpenSSL, you can convert your SSL Certificates using one of these web-based online tools:

Both of them work really well and can convert most, if not all, the format detailed above: at the same time, you need to seriously think about the security implications that come with uploading your SSL Certificates (and possibly their private keys) to a third-party service. As trustable and secure those two site have been as of today, we still don’t recommend such move.


That’s it, at least for the time being: we hope that these commands will be helpful to those developers and system administrators who need to convert SSL certificates in the various formats required by their applications.

See you next time!

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.