16 March 2011

How to export and convert a Windows .PFX certificate to a Unix / Linux compatible .cer or .pem file

When publishing a Unix web environment behind TMG you will most likely have to export a certificate from the one platform to the other.  The problem is that although both sides use certificates, they come in different formats.

To get the files you need you will have to:
  • Export
  • Convert
  • Extract
For this you will need OPENSSL, you can download the Windows version http://gnuwin32.sourceforge.net/packages/openssl.htm

This will install the command line utility that will allow you to do the conversion.

For this I am going to assume that the certificate has been requested and installed on a Windows server.

The Export
From the Certificate MMC console you can now choose to export your certificate.
You can now select to export the certificate

You will need to export the private key to be able to use the certificate server side.

Choosing to export all the certificates in the path makes it much simpler to import chains of certificates.

You will also be prompted for a password.
This will now give you an exported pfx file that contains the private key.  You can tell by the icon that has a key on it.


A Windows machine can import the PFX package but for the Unix platform you need to "break it up" into individual files.

The Conversion

After installing the OPENSSL utility you can open a command prompt and execute the following command the convert the .pfx to a .cer

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

You should be prompted for the export password and the export is successful with a MAC verified OK message



The resultant file is a plain text file that need to be broken up to firm the individual certificate and key files

The Extraction

Open the file in a text editor

You will see that the file is segmented into different parts starting with a line:

BAG Attributes

and ending with

-----END RSA PRIVATE KEY----- or
-----END CERTIFICATE-----

The number of certificates in the exported chain will determine how many certificate sections are in the file.

Copy the content of each segment and save it in a separate text file.

The file containing the Private Key needs to be save as .key while the files containing the Certificate sections can be saved a .cer file

Alternative extension for the certificates files are .pem and .crt






These .key and .cer files should now be compatible with your Unix system.


No comments:

Post a Comment