I’m writing this short reference for myself and for others in my office. We frequently have to work with certificate files for various web based services and applications that we support. OpenSSL is a handy tool to work with these files directly from the command line or Terminal.
Terminal CLI command to convert .pfx to .pem
Use the following in Terminal to convert your .pfx cert to a .pem cert. You will need to authenticate with the passphrase used to generate the .pfx certificate.
openssl pkcs12 -in client_ssl.pfx -out client_ssl.pem -clcerts
In the above command, the
client_ssl.pfx is the file and path to the cert ending in .pfx For example if you have the
client_ssl.pfx cert on your Desktop(macOS) then you would use
client_ssl.pem is the path to where you want it to save the converted .pem certificate. So if I want to save the .pem file created by this command to my Desktop(macOS), then I would use
Putting this all together in one command would result in the following:
openssl pkcs12 -in ~/Desktop/client_ssl.pfx -out client_ssl.pem -clcerts
Additional instructions on pfx to pem conversion
You can find additional instructions on using OpenSSL to convert .pfx to .pem in this post on Stack Overflow.
Install and Run OpenSSL on macOS
Probably the easiest way to install and run OpenSSL on macOS is to use homebrew. Homebrew is a popular application that helps to port *nix based applications to macOS. You can install homebrew from the following website:
Once you’ve installed homebrew, open Terminal and type: brew install openssl
Additional macOS Instructions on using OpenSSL from Medium.com article
Check out this useful article from Medium.com by @timmykko for additional info on using homebrew to install and use OpenSSL.
Note: Windows 10 and Linux options can be found at the end of this article.
openssl Command Options
The following options are available as listed in the man page for openssl
-export output PKCS12 file
-chain add certificate chain
-inkey file private key if not infile
-certfile f add all certs in f
-CApath arg – PEM format directory of CA’s
-CAfile arg – PEM format file of CA’s
-name “name” use name as friendly name
-caname “nm” use nm as CA friendly name (can be used more than once).
-in infile input filename
-out outfile output filename
-noout don’t output anything, just verify.
-nomacver don’t verify MAC.
-nocerts don’t output certificates.
-clcerts only output client certificates.
-cacerts only output CA certificates.
-nokeys don’t output private keys.
-info give info about PKCS#12 structure.
-des encrypt private keys with DES
-des3 encrypt private keys with triple DES (default)
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
encrypt PEM output with cbc camellia
-nodes don’t encrypt private keys
-noiter don’t use encryption iteration
-nomaciter don’t use MAC iteration
-maciter use MAC iteration
-nomac don’t generate MAC
-twopass separate MAC, encryption passwords
-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)
-certpbe alg specify certificate PBE algorithm (default RC2-40)
-keypbe alg specify private key PBE algorithm (default 3DES)
-macalg alg digest algorithm used in MAC (default SHA1)
-keyex set MS key exchange type
-keysig set MS key signature type
-password p set import/export password source
-passin p input file pass phrase source
-passout p output file pass phrase source
-CSP name Microsoft CSP name
-LMK Add local machine keyset attribute to private key
Install and run OpenSSL on Windows 10
Instructions on installing OpenSSL on Windows 10 can be found in the KB from digicert.
OpenSSL home page to get the installers for Linux
Be sure to check out the OpenSSL homepage for additional info and to obtain Linux installers.