picture of tbs certificates
picture of tbs certificates
Our products range

OpenSSL - case of use and conversion

OpenSSL is a toolbox used by the main opensource software to implement SSL.
Cases related to SSH:

Certificates conversion with OpenSSL

  • PFX (#PKCS12) - Windows to PEM - Apache
    openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

  • P7B (#PKCS7) to PEM
    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

  • PEM to P7B (#PKCS7)
    openssl crl2pkcs7 -nocrl -output DER -certfile certificat.pem -out certificat.p7b
    Note: certificate.pem is usually the result of a concatenation of your certificate and the certification chain.
    Case of Chorus Pro: this service requires the inclusion of the root certificate as well (list of TBS INTERNET root certificates). For example :
    cat pem-xxx-yyy.pem
    openssl crl2pkcs7 -nocrl -certfile pem-xxx-yyy.pem -out xxx-yyy.p7b

  • Remove a password from a private encrypted key
    openssl rsa -in key-file-with-password.pkey -out file-without-password.key 

  • DER to PEM - Apache
    openssl x509 -inform der -in certificate.cer -out certificate.pem

  • PEM - Apache to DER
    openssl x509 -outform der -in certificate.pem -out certificate.der

  • PEM to PFX (#PKCS12) - Windows
     openssl pkcs12 -export -legacy -out certificate.pfx -inkey privaye_key.key -in certificate.crt -certfile CACert.crt

  • P7B to PFX (#PKCS12) - Windows
    openssl pkcs7 -in p7-0123456789-1111.p7b -inform DER -out result.pem -print_certs
        openssl pkcs12 -export -legacy -inkey your_private_key.key -in result.pem -name my_label -out final_result.pfx

You get the "pkcs12: Unrecognized flag legacy" error?

In this case, remove the "-legacy" parameter from the commands above

The version 3 of openSSL needs the "-legacy" parameter to generate a PFX compatible with older software. The version 1 of openSSL generate a compatible PFX directly.

Technical parameters of a PFX

use the following command to display the technical parameters of a PFX for debug:

openssl pkcs12 -noout -info -in file.pfx

Useful links