Create a pkcs12 (.pfx or .p12) from OpenSSL files (.pem , .cer, .crt...)
You have a private key file in an openssl format and have received your SSL certificate. You'd like now to create a PKCS12 (or .pfx) to import your certificate in an other software?
Here is the procedure!
- Retrieve the private key file (xxx.key) (previously generated along with the CSR).
NOTE: you can convert your .pkey file in a .key one with our tool to decipher private keys.
The command can handle a .pkey as well. You'll have to provide the key password in this case. - Download the .pem file on your certificate status page ("View certificate" button then "View the X509 certificate with its chain" and click the download link).
- Create the pkcs12 file that will contain your private key and the certification chain:
openssl pkcs12 -export -legacy -inkey your_private_key.key -in pem-file.pem -name my_name -out final_result.pfx
You will be asked to define an encryption password for the archive (it is mandatory to be able to import the file in IIS). You may also be asked for the private key password if there is one!
You can now use the result_final.pfx file in any software that accepts pkcs12 as input!
Alternatively, if you want to generate a PKCS12 from a certificate file (cer/pem), a certificate chain (generally pem or txt), and your private key, you need to use the following command:
openssl pkcs12 -export -legacy -inkey your_private_key.key -in your_certificate.cer -certfile your_chain.pem -out final_result.pfx
You get the "pkcs12: Unrecognized flag legacy" error?
In this case, remove the "-legacy" parameter from the commands above
The version 3 of openSSL needs the "-legacy" parameter to generate a PFX compatible with older software. The version 1 of openSSL generate a compatible PFX directly.
Technical parameters of a PFX
use the following command to display the technical parameters of a PFX for debug:
openssl pkcs12 -noout -info -in file.pfx