Convert a PEM Certificate to PFX/P12 format PEM certificates are not supported, they must be converted to PKCS#12 (PFX/P12) format. Openssl pkcs12 -in -nocerts -nodes -out private.key Make sure that the certificate file and the private key are generated to the same folder where the PFX file is stored. If the certificate file or the private key contains the bag attributes, delete these attributes using any convenient text editing software and save the file.
If you were ever asked by backend developer to provide .pem file to support Apple Push Notifications on the server you know how painful it is. This post will guide step by step.
Convert Pem To P12 Without Openssl
Cer.p12: openssl pkcs12 -clcerts -nokeys -out cer.pem -in cer.p12 key.p12: openssl pkcs12 -nocerts -out key.pem -in key.p12. To convert to PEM format, use the pkcs12 sub-command. Openssl pkcs12 -in. SomeKeyStore.pfx -out. SomeKeyStore.pem -nodes You can convert a PEM certificate and private key to PKCS#12 format as well using -export with a few additional options. To convert a certificate from PKCS#7 to PFX, the certificate should be first converted into PEM: openssl pkcs7 -printcerts -in yourpkcs7certificate.p7b -out yourpemcertificates.pem. After that, the certificate can be converted into PFX. Openssl pkcs12 -export -out yourpfxcertificate.pfx -inkey yourprivate.key -in yourpemcertificate.crt.
At first, you have to create this certificate and import it to your keychain, but I assume you know how to do it. Let’s jump to the tricky part:
Export certificate and key separately
(right-click -> Export -> choose .p12 format). To make things easier you can name certificate
apns-cert.p12 and key
apns-key.p12 When prompted for a password, leave it blank.
To convert certificate please execute following command in terminal:
openssl pkcs12 -clcerts -nokeys -out apns-cert.pem -in apns-cert.p12 Just hit enter when asked for a password.
To convert key please execute following command in terminal:
openssl pkcs12 -nocerts -out apns-key.pem -in apns-key.p12 In this case, you will be asked for the password twice, first time hit enter as there was no password. In the second case, you will be asked to set a password to the newly created PEM file, please set it.
Remove the encryption from the key
To remove previously set password execute the following command in terminal:
openssl rsa -in apns-key.pem -out apns-key-noenc.pem
To merge both generated pem files into one complete pem please execute:
cat apns-cert.pem apns-key-noenc.pem > apns.pem
apns.pem to your backend developer 😉
I hope this tutorial will save you lot of time.
You have a private key file in an openssl format and have received your SSL certificate. You'd like now to create a PKCS12 (or .pfx) to import your certificate in an other software?
Here is the procedure!
- Find the private key file (xxx.key) (previously generated along with the CSR).
- Download the .p7b file on your certificate status page ('See the certificate' button then 'See the format in PKCS7 format' and click the link next to the diskette).
- a) Convert this file into a text one (PEM):
On Windows, the OpenSSL command must contain the complete path, for example:
- b) Now create the pkcs12 file that will contain your private key and the certification chain:
You will be asked to define an encryption password for the archive (it is mandatory to be able to import the file in IIS). You may also be asked for the private key password if there is one!
Openssl Pem To Pkcs12
You can now use the file file final_result.p12 in any software that accepts pkcs12! For IIS, rename the file in .pfx, it will be easier.
Alternatively, if you want to generate a PKCS12 from a certificate file (cer/pem), a certificate chain (generally pem or txt), and your private key, you need to use the following command: