Converting Certificates using OpenSSL

During the course of most security administrator’s life, you will inevitably need to convert certificates from certain formats to other formats.  This is easily done using openssl .  OpenSSL is available on all Linux distros as well as macOS.  Some have installed it on Windows but I do not trust some of the sources for it.  The easiest  way in my opinion is to install Ubuntu on Windows 10 (I have an article coming on that soon, but it is very simple).

Lets get started

Converting x509 to PEM

openssl x509 -in certname.cer -outform PEM -out certname.pem

An X.509 certificate is a digital certificate based on the International Telecommunications Union (ITU) X.509 standard, which defines the format of public key infrastructure (PKI) certificates.  PEM or Privacy Enhanced Mail is a Base64 encoded DER certificate. PEM certificates are frequently used for web servers as they can easily be translated into readable data using a simple text editor. Generally when a PEM encoded file is opened in a text editor, it contains very distinct headers and footers.

-----BEGIN CERTIFICATE REQUEST-----

-----END CERTIFICATE-----

---

Converting PEM to DER

openssl x509 -outform der -in certname.pem -out certname.der

DER files are digital certificates in binary format, instead of the instead of the ASCII PEM format. DER files may end with .der or .cer, so to differentiate between DER.cer and PEM.cer files, you may need to use a text editor to read the file. A DER file should not have any BEGIN/END statements and will show garbled binary content.

Sample DER Certificate

3082 07fd 3082 05e5 a003 0201 0202 1068
1604 dff3 34f1 71d8 0a73 5599 c141 7230
0d06 092a 8648 86f7 0d01 010b 0500 3072
310b 3009 0603 5504 0613 0255 5331 0e30
0c06 0355 0408 0c05 5465 7861 7331 1030
0e06 0355 0407 0c07 486f 7573 746f 6e31
1130 0f06 0355 040a 0c08 5353 4c20 436f
7270 312e 302c 0603 5504 030c 2553 534c
2e63 6f6d 2045 5620 5353 4c20 496e 7465
726d 6564 6961 7465 2043 4120 5253 4120
5233 301e 170d 3230 3034 3031 3030 3538
3333 5a17 0d32 3130 3731 3630 3035 3833
335a 3081 bd31 0b30 0906 0355 0406 1302
5553 310e 300c 0603 5504 080c 0554 6578
6173 3110 300e 0603 5504 070c 0748 6f75
7374 6f6e 3111 300f 0603 5504 0a0c 0853
534c 2043 6f72 7031 1630 1406 0355 0405
130d 4e56 3230 3038 3136 3134 3234 3331
1430 1206 0355 0403 0c0b 7777 772e 7373
6c2e 636f 6d31 1d30 1b06 0355 040f 0c14
5072 6976 6174 6520 4f72 6761 6e69 7a61
7469 6f6e 3117 3015 060b 2b06 0104 0182

---

Converting DER to PEM

openssl x509 -inform der -in certname.der -out certname.pem

See DER and PEM descriptions above.

---

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certname.pem -out certname.p7b -certfile CACert.cer

The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c.   A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key. The most common platforms that support P7B files are Microsoft Windows and Java Tomcat.

---

Convert PKCS7 to PEM

openssl pkcs7 -print_certs -in certname.p7b -out certname.pem

See PKCS7 and PEM descriptions above.

---

Convert PKCS12 (PFX) to PEM

openssl pkcs12 -in certname.pfx -out certname.pem

A PKCS#12 or .pfx file is a file which contains both private key and X.509 certificate, ready to be installed by the customer into servers such as IIS, Tomkat or Exchange. Certificate signing request (CSR) generation remains one of the consistent problem areas faced by customers wishing to secure their server. PKCS#12 removes the need for the customer to create their own CSR. Rather, a CA creates the CSR on behalf of the customer during the certificate application process.

---

Convert PKCS12 to PKCS#8

This requires two steps; first we convert from PKCS12 (pfx) to PEM and then from PEM to PKCS8

STEP 1: Convert PKCS12 to PEM
openssl pkcs12 -in certname.pfx -nocerts -nodes -out certname.pem

STEP 2: Convert PEM to PKCS8
openSSL pkcs8 -in certname.pem -topk8 -nocrypt -out certname.pk8

In cryptography, PKCS #8 is a standard syntax for storing private key information. PKCS #8 is one of the family of standards called Public-Key Cryptography Standards (PKCS) created by RSA Laboratories.  The PKCS #8 private key may be encrypted with a passphrase using the PKCS #5 standards, which supports multiple ciphers.

---

 

Convert P7B to PKCS12 (PFX)

STEP 1: Convert P7B to CER
openssl pkcs7 -print_certs -in certname.p7b -out certname.cer

STEP 2: Convert CER and Private Key to PFX
openssl pkcs12 -export -in certname.cer -inkey privateKey.key -out cername.pfx -certfile cacert.cer

See P7B and PKCS12 descriptions above.