Skip to content

Convert Certificates


A TLS certificate can be provided in different formats or containers such as PEM or PKCS#12. Also, the certificate files can have different extensions, for example, .crt and .key for PEM or .p12 and .pfx for PKCS#12. Some of the files can be encrypted and signed. The formats and the files can be converted among each other.


Hint - tools

The openssl program mentioned below can be downloaded from heise.de for example. The keytool program for creating a Java keystore is part of the Java installation. For further information, refer to Keytool.


Convert PEM into PKCS#12

openssl pkcs12 -export -in <certificate.crt> -inkey <certificate.key> -out <certificate.p12> -name default -CAfile <cacerts.crt> -caname <root>

Extract the Certificate from .pfx (PKCS#12) into .crt (PEM)

openssl pkcs12 -in <certificate.pfx> -clcerts -nokeys -out <certificate.crt>

Extract the Private Key from .pfx (PKCS#12) into .key with Encryption (PEM)

openssl pkcs12 -in <certificate.pfx> -nocerts -out <key_encrypted.key>

Extract the Private Key from .pfx (PKCS#12) into .pem (PEM)

openssl pkcs12 -in <certificate.pfx> -nocerts -out <key.pem>

Extract the Certificate from .pfx (PKCS#12) into .pem (PEM)

openssl pkcs12 -in <certificate.pfx> -clcerts -nokeys -out <certificate.pem>

Remove Encryption from .key (PEM)

openssl rsa -in <key_encrypted.key> -out <key_decrypted.key>

Convert .crt (PEM) into .cer (PEM)

  1. Open the Windows certificate dialog by double-clicking the .crt file.

  2. In the Details tab, click Copy to File....

  3. Select the CER format you want to use.


Convert .cer (PEM) into .pem (PEM)

  1. Convert .crt (PEM) into .cer (PEM), see above.

  2. Replace the .cer extension of the saved file by .pem.


Extract the CA Certificate File from .pfx (PKCS#12) into .cer (PEM)

openssl pkcs12 -in <certificate.pfx> -cacerts -nokeys -chain -out <cacerts.cer>

Create a Java Keystore from .p12 (PKCS#12):

keytool -importkeystore -deststorepass <keystore_password> -destkeypass <key_password> -destkeystore <keystore.jks> -srckeystore <keystore.p12> -srcstoretype PKCS12 -srcstorepass <secret_password_used_in_csr> -alias default

Back to top