Skip to content

Convert Certificates ???? Für aktuelles Produkt umarbeiten ????


A TLS certificate can be provided in different formats or containers such as PEM or PKCS#12. Also, the certificate files can have different extensions, for example, .crt and .key for PEM or .p12 and .pfx for PKCS#12. Some of the files can be encrypted and signed. The formats and the files can be converted among each other.


Hint - tools

The openssl program mentioned below can be downloaded from heise.de for example. The keytool program for creating a Java keystore is part of the Java installation. For further information, refer to Keytool.


Convert PEM into PKCS#12

openssl pkcs12 -export -in <certificate.crt> -inkey <certificate.key> -out <certificate.p12> -name default -CAfile <cacerts.crt> -caname <root>


Extract the Certificate from .pfx (PKCS#12) into .crt (PEM)

openssl pkcs12 -in <certificate.pfx> -clcerts -nokeys -out <certificate.crt>


Extract the Private Key from .pfx (PKCS#12) into .key with Encryption (PEM)

openssl pkcs12 -in <certificate.pfx> -nocerts -out <key_encrypted.key>


Extract the Private Key from .pfx (PKCS#12) into .pem (PEM)

openssl pkcs12 -in <certificate.pfx> -nocerts -out <key.pem>


Extract the Certificate from .pfx (PKCS#12) into .pem (PEM)

openssl pkcs12 -in <certificate.pfx> -clcerts -nokeys -out <certificate.pem>


Remove the Encryption from .key (PEM)

openssl rsa -in <key_encrypted.key> -out <key_decrypted.key>


Convert .crt (PEM) into .cer (PEM)

  1. Open the Windows certificate dialog by double-clicking the .crt file.

  2. In the Details tab, click Copy to File....

  3. Select the CER format you want to use.


Convert .cer (PEM) into .pem (PEM)

  1. [Convert .crt into .cer](#convert-.crt-(PEM%29-into-.cer-(PEM%29), see above.

  2. Replace the .cer extension of the saved file by .pem.


Extract the CA Certificate File from .pfx (PKCS#12) into .cer (PEM)

openssl pkcs12 -in <certificate.pfx> -cacerts -nokeys -chain -out <cacerts.cer>


Create a Java Keystore from .p12 (PKCS#12):

keytool -importkeystore -deststorepass <keystore_password> -destkeypass <key_password> -destkeystore <keystore.jks> -srckeystore <keystore.p12> -srcstoretype PKCS12 -srcstorepass <secret_password_used_in_csr> -alias default


Back to top