Wednesday 19 July 2023

Convert pfx SSL (Windows) to PEM with KEY file

Securing websites with SSL certificates is essential for protecting sensitive data and establishing trust with users. Windows Internet Information Services (IIS) provides a straightforward way to generate SSL certificates. However, if you need to work with other systems or perform advanced configurations, converting the certificate to the PEM and KEY file formats using OpenSSL can be beneficial. In this blog post, we will guide you through the process of exporting an SSL certificate from Windows IIS and converting it into PEM and KEY files using OpenSSL.


Before we begin, ensure that you have the following prerequisites in place:

  1. Windows Server with Internet Information Services (IIS) installed.
  2. OpenSSL installed on your system. You can download it from the OpenSSL website (, Linux OS works better for this part,  or you can use chocolatey to install it in to Windows with the following command
choco install openssl -y

Exporting the SSL Certificate from Windows IIS:

  1. Open the Internet Information Services (IIS) Manager on your Windows Server.
  2. In the left-hand pane, select your server name.
  3. In the middle pane, double-click on "Server Certificates."
  4. Locate the SSL certificate you wish to export, right-click on it, and select "Export."

Exporting the Certificate as a PFX File:

  1. In the Export Certificate wizard, select the desired options and click "Next."
  2. Choose a path and filename for the exported file, e.g., "certificate.pfx," and set a secure password.
  3. Click "Finish" to complete the export process.

Converting the PFX File to PEM Format:

  1. Open a command prompt or terminal window.
  2. Navigate to the directory where you saved the OpenSSL executable.
  3. Execute the following command to convert the PFX file to a PEM file without the private key:

openssl pkcs12 -in certificate.pfx -out certificate.nokey.pem -nokeys

Extracting the Private Key:

Run the following command to export the certificate along with the private key:

openssl pkcs12 -in certificate.pfx -out certificate.withkey.pem

Converting the Private Key to KEY Format:

Execute the following command to extract the private key and save it in KEY format:

openssl rsa -in certificate.withkey.pem -out certificate.key

If you no longer need the PEM file containing both the certificate and private key, you can delete it.

Combining PEM and KEY Files:

To combine the PEM and KEY files into a single file, execute the following command:

cat certificate.nokey.pem certificate.key > certificate.combo.pem

This process allows you to work with the certificate in other systems or perform advanced configurations. By following these steps, you can securely manage and transfer SSL certificates across different platforms. Remember to keep the exported files in a secure location and follow best practices for certificate management.

No comments:

Post a Comment