Table of Contents
  • Home
  • /
  • Blog
  • /
  • Step by Step Procedure to Convert a CER Certificate to PFX Without the Private Key
December 7, 2023
|
9m

Step by Step Procedure to Convert a CER Certificate to PFX Without the Private Key


Step By Step Procedure To Convert A Cer Certificate To Pfx Without The Private Key

Before jumping into the procedure to convert a CER certificate to PFX without the private key. Lets understand the difference between the certificate formats.

You can always refer X.509 certificate Request for Comments (RFC) and X.509 articles to know about the digital certificates in depth. X.509 certificates come majorly in two formats: 

  • Base64 (ASCII)

  • Binary

Again there are two formats underneath Base64. They are PEM and PKCS#7. As like Base64, Binary has two formats too: DER and PKCS#12.

Of all these certificate formats few of them come bundled with a private key and few are not. To tell in short, .cer, .crt, and .p7b formats necessarily dont have the private key with them. Whereas .pfx is always bundled with a private key.

Most of the Certificate Authorities will not issue certificates with the private key. They just issue and share the certificates in .cer, .crt, and .p7b formats which dont have the private key in most of the cases. But, your application needs the certificate in .pfx format. Now, you have a .cer certificate in your hand, but you need a .pfx certificate to deploy. And, you cant convert the .cer certificate to .pfx without the private key. This problem has created confusion in most people and may create delays in the certificate deployment/renewal process.

We thought it is an excellent idea to address this common problem. So we are here to explain the complete step by step process to convert a CER Certificate to PFX Without the private key.

Overview of CER and PFX Certificates

Since, we are dealing with two commonly used certificate formats: CER and PFX. Lets learn more about them. Both CER and PFX are for different purpose.

You might know that digital certificates are used for two main reasons:

  1. Secure communications

  2. Authenticate identities online.

CER or CRT files contain the public key and other certificate information in a binary DER encoded format or Base64 encoded PEM format. Since it only has the public key, it is most likely used to complete three-way handshake. On the other hand, since it doesnt bundled with private key, It cannot be used alone for authentication.

PFX or PKCS #12 files contain the public key, private key, and certificate chain in an encrypted container. The private key allows PFX files to be used for authentication purposes.

PFX files are more versatile as they bundle both public and private keys. CER files are easier to distribute publicly since they only contain the public key.

Common uses of CER files include distributing public keys and root/intermediate certificates. PFX files are used for authentication in applications and web servers.

CER vs PFX

FeatureCERPFX
ContentsPublic key + certificate infoPublic key + private key + certificate info
File formatBinary DER or PEM encodingEncrypted binary container
File extension.cer, .crt, .der.pfx, .p12
EncryptionNot encryptedEncrypted with password
Private keyNoYes
Authentication usageNo, public key onlyYes, has private key
Common usesDistribute public keys and certificatesAuthentication, web servers, email security
PlatformsWindows, Linux, MacWindows, Linux, Java, Android, iOS and more
ConversionCan be converted to PEMCan be converted to CER/PEM

When to Convert CER to PFX?

You may need to convert a CER file to PFX format in situations like:

  • Setting up an SSL/TLS certificate on a web server that requires the private key for authentication.

  • Configuring certificate-based authentication for client applications that need to authenticate using a certificate.

  • Transferring a certificate and private key between systems. The PFX bundle keeps them together.

  • Backing up a certificate and private key for recovery purposes.

In these cases, just the public CER certificate wont work since the private key is also needed. Converting it to PFX format bundles the cert and private key.

How to Convert a CER Certificate to PFX Without the Private Key (On Windows)?

The procedure is quite simple. You can convert a CER certificate to PFX without the private key in three simple steps. But, this process will require the machine on which you have created the CSR (Certificate Signing Request) Because the private key had been created during the CRS creation process. We are just using the previously create private key to convert the CER certificate to PFX. Bear in mind, this process will work only on Windows platform.

This process has been divided into three simple tasks:

  1. Import the certificate chain to their respective stores.

  2. Open the certificate snap-in in the Windows MMC console.

  3. Export the certificate in .pfx from the MMC console.

Step 1: Import the certificate to its personal certificate store

Right-click on the certificate file.
Select 
install certificate.

Step 2: Select the Local Computer radio button
Step 3: Select the default automatic store to import the certificate
Step 4: Import the certificate

Click the Finish button to complete the import process.

Step 5: Import process complete.

Wait for a while until you see a successful message.

Step 6: Open MMC on the Windows server

Hit Win + R to open the Run utility
Type 
mmc in the box.
Press 
Ok.

Step 7: Add Certificate Snap-in

Go to File > Add/Remove Snap-in.

Step 8: Select Certificates and press Add
Step 9: Select the User or Computer Certificate snap-in

Select the snap-in which you want to create the certificate. For demonstration, we are choosing a Compute account.
Click 
Next.

Step 10: Select Local Computer

Select the local computer as you are going to create CSR on the same computer.
Click 
Finish.

Step 11: Select Certificate (Local Computer) and click Ok
Step 12: Load MMC

You will see the certificate in the personal store.

Step 13: Export the Certificate

Right Click on the Certificate
Select All Tasks -> Export

Step 14: Certificate Export Wizard

Click Next in the Certificate Export Wizard

Step 15: Export the Private Key

Select the radio button Yes, export the private key
Click Next

Step 16: Export the pfx certificate

Select the PFX radio button.
Three options are available to select during the export. Select the one which you need.
Click Next

Step 17: Select Security options to export the pfx certificate.

(Optional) Select the Group or user name of your choice if you want to set the permissions to manage the certificate.
Select a password and enter the password to encrypt the certificate.
Note: It is mandated to select the password. It is recommended to secure the private key.

Step 18: Provide the location to save the pfx Certificate.

Browse the location where you want to save the pfx certificate
Click Next

Step 19: Finish exporting the PFX certificate

This completes the procedure to convert a CER certificate to PFX without the private key on Windows.

How to Create a PFX Certificate from a CER Certificate (Using OpenSSL)?

Well, you can convert a CER file to PFX using the command line tools like OpenSSL or OpenSSL GUI for a graphical interface.

This process has been divided into three simple tasks:

  1. Export Private Key

  2. Convert CER to PEM (Optional)

  3. Bundle PEM Files into PFX

Step 1: Export Private Key

First, you need access to the associated private key for the CER certificate. If the CER was generated as part of a CSR request, the private key should be available.

Export the private key to a file. For example:

openssl rsa -in privateKey.key -out private.pem

This exports the key in PEM format.

Step 2: Convert CER to PEM (Optional)

If the CER file is in DER/binary format instead of PEM format, convert it to PEM first:

openssl x509 -inform der -in certificate.cer -out certificate.pem

This converts the DER CER file to a PEM file that can be bundled.

Step 3: Bundle PEM Files into PFX

Finally, bundle the PEM certificate and private key into a PFX file with:

openssl pkcs12 -export -out certificate.pfx -inkey private.pem -in certificate.pem

When prompted, create a password to encrypt the PFX file.

The PFX output will contain the certificate and matched private key, now in a format usable for authentication.

Thanks for reading this article. Please read more such interesting articles and keep support us.

This certificate is ready to import to an application.

With the PFX file, you can now import it into web servers, client applications, and tools that expect a certificate + private key for functions like authentication.

For example, on Windows, you can double-click the PFX and use the Certificate Import Wizard. On Linux/Apache, use the SSLCertificateFile directive to point to the PFX. Check your applications documentation for specifics on importing the PFX.

Bottom Line

Converting certificates from CER to PFX format is a useful technique for bundling public and private keys together. The PFX bundle allows you to transport your certificates between systems and use them for authentication and encryption purposes.

The process involves exporting the private key associated with the CER certificate, optionally converting the CER to PEM format, and then using OpenSSL to bundle the certificate and private key into a protected PFX file.

When generating certificates, it is recommended to create both a CER file for public distribution and a PFX file for your own private usage. The CER can be freely shared while the PFX should be carefully protected and only distributed to trusted parties.

With the ability to interconvert between CER and PFX formats, you gain flexibility in how your certificates can be used. CER files allow a wide distribution of public keys and certificate chains. PFX files give you the option to leverage your certificates for authentication, web servers, email security, code signing, and other functions requiring the private key component.

We hope this post helps understand how to convert a CER certificate to PFX or in other words, create a PFX file from a CER or CRT file. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.  

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Tutorials

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe