Before jumping into the procedure to convert a CER certificate to PFX without the private key. Let’s understand the difference between the certificate formats.
You can always refer X.509 certificate Request for Comments (RFC) and X.509 articles to know about the digital certificates in depth. X.509 certificates come majorly in two formats: Base64 (ASCII) and Binary. Again there are two formats underneath Base64. They are PEM and PKCS#7. As like Base64, Binary has two formats too: DER and PKCS#12. Of all these certificate formats few of them come bundled with a private key and few are not. To tell in short, .cer, .crt, and .p7b formats necessarily don’t have the private key with them. Whereas .pfx is always bundled with a private key.
Most of the Certificate Authorities will not issue certificates with the private key. They just issue and share the certificates in .cer, .crt, and .p7b formats which don’t have the private key in most of the cases. But, your application needs the certificate in .pfx format. Now, you have a .cer certificate in your hand, but you need a .pfx certificate to deploy. And, you can’t convert the .cer certificate to .pfx without the private key. This problem has created confusion in most people and may create delays in the certificate deployment/renewal process.
We thought it is an excellent idea to address this common problem. So we are here to explain the complete step by step process to convert a CER Certificate to PFX Without the private key.
How to Convert a CER Certificate to PFX Without the Private Key?
The procedure is quite simple. You can convert a CER certificate to PFX without the private key in three simple steps. But, this process will require the machine on which you have created the CSR (Certificate Signing Request) Because the private key had been created during the CRS creation process. We are just using the previously create private key to convert the CER certificate to PFX. Bear in mind, this process will work only on Windows platform.
- Import the certificate chain to their respective stores.
- Open the certificate snap-in in the Windows MMC console.
- Export the certificate in .pfx from the MMC console.
Time needed: 5 minutes.
How to Convert a CER Certificate to PFX Without the Private Key?
- Import the certificate to its personal certificate store
Right-click on the certificate file.
Select install certificate.
- Select Local Computer radio button
- Select the default automatic store to import the certificate
- Import the certificate
Click Finish button to complete the import process.
- Import process complete.
Wait for a while until you see a successful message.
- Open MMC in Windows server
Hit Win + R to open the Run utility
Type mmc in the box.
- Add Certificate Snap-in
Go to File > Add/Remove Snap-in..
- Select Certificates and press Add
- Select the User or Computer Certificate snap-in
Select the snap-in which you want to create the certificate. For demonstration we are choosing Compute account.
- Select Local Computer
Select local computer as you are going to create CSR on the same computer.
- Select Certificate (Local Computer) and click Ok
- Load MMC
You will see the certificate in the personal store.
- Export the Certificate
Right Click on the Certificate
Select All Tasks -> Export
- Certificate Export Wizard
Click Next in the Certificate Export Wizard
- Export the Private Key
Select the radio button ‘yes, export the private key’
- Export pfx certificate
Select PFX radio button.
Three options are available to select during the export. Select the one which you need.
- Select Security options to export the pfx certificate.
(Optional) Select the Group or user name of your choice if you want to set the permissions to manage the certificate.
Select a password and enter the password to encrypt the certificate.
Note: It is mandated to select the password. It is recommended to secure the private key.
- Provide the location to save the pfx Certificate.
Browse the location where you want to save the pfx certificate
- Finish to export the pfx certificate
This complete the procedure to convert a CER certificate to PFX without the private key.
Thanks for reading this article. Please read more such interesting articles and keep support us.
Frequently Asked Questions:
A .cer certificate is a digital certificate file that uses the X.509 standard to define the structure and contents of public key certificates. The .cer file format is primarily used in Microsoft Windows environments and contains information about the certificate owner, the certificate issuer, the certificate’s public key, and other relevant details.
A .pfx certificate is a digital certificate file format that combines the public key certificate (typically a .cer or .crt file) with its associated private key, and optionally, any intermediate certificates, into a single encrypted file. The .pfx format is commonly used in Microsoft Windows environments for importing and exporting certificates and private keys.
No, you cannot convert a .cer certificate to a .pfx certificate without the associated private key. A .pfx file requires the private key to be bundled with the public key certificate, providing a complete cryptographic identity for the certificate owner. Without the private key, a .pfx file cannot be created.
The private key is an essential part of the cryptographic identity represented by a digital certificate. It is used for secure communication, data encryption, and digital signatures. When you create a .pfx file, you are bundling the certificate’s public key and its associated private key into a single file. This provides a convenient way to export and import the complete certificate identity, including the private key, between systems and applications.
If you lost your private key, you cannot recover it, nor can you create a .pfx file using your existing .cer certificate. In this case, you should generate a new key pair, create a new Certificate Signing Request (CSR), and request a new certificate from your Certificate Authority (CA). Once you receive the new certificate, ensure that you securely back up your private key to avoid losing it again.
If you have both the .cer certificate and the private key, you can use the OpenSSL command-line tool to create a .pfx file. The following command shows how to create a .pfx file using a .cer certificate and a private key:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.cer
Replace privateKey.key with your private key file and certificate.cer with your .cer certificate file. This command will prompt you to set a password for the .pfx file. Remember this password, as you will need it when importing the .pfx file into other systems or applications.
Yes, you can use the .cer certificate directly in some cases, depending on the application or system requirements. However, some systems and applications require a .pfx file, which includes both the certificate and its associated private key. Check the documentation of the system or application you are using for specific requirements regarding certificate formats.
A .cer certificate file typically does not contain the private key. However, you can verify the contents of the .cer file using the OpenSSL command-line tool with the following command:
openssl x509 -in certificate.cer -text -noout
Replace certificate.cer with your .cer certificate file. If the file contains only the public key certificate, you will see information about the certificate owner, issuer, validity period, and public key. If the file also contains the private key, you will see additional information about the private key, but this is unlikely for a .cer file.
There is no inherent security risk in converting a .cer certificate to a .pfx file as long as you follow best practices for handling private keys. When creating a .pfx file, make sure to:
1. Set a strong password for the .pfx file to protect the bundled private key.
2. Store the .pfx file securely and restrict access to authorized users only.
3. Never share the .pfx file or its password with unauthorized parties.
Remember that the private key is a sensitive piece of information that must be protected, as unauthorized access to the private key could compromise the security of the associated certificate.
The process of importing a .pfx file varies depending on the system or application you are using. Generally, you will need to access the appropriate configuration settings or management console for your system or application, and then follow the steps for importing a certificate or a private key. You will need to provide the .pfx file and the password you set when creating the file. For specific instructions, consult the documentation of the system or application you are using.
Yes, you can convert a .pfx file back to a .cer file and separate private key using the OpenSSL command-line tool. To extract the certificate, use the following command:
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.cer
To extract the private key, use this command:
openssl pkcs12 -in certificate.pfx -nocerts -nodes -out privateKey.key
Replace certificate.pfx with your .pfx file, certificate.cer with the desired output .cer file, and privateKey.key with the desired output private key file. You will be prompted to enter the password for the .pfx file.
So what is the process or can you show me the process of creating a CSR on the local machine so I can go ahead and create the pfx.
The process of creating a CSR will vary depending on the platform you are working. Please refer to the posts in this link: https://thesecmaster.com/?s=CSR&tcb_sf_post_type%5B%5D=post&tcb_sf_post_type%5B%5D=page
This would help you create CSR the way you need. Please let us know if this answer didn’t answer your question.
This article is a nonsense! Why should I have the private key of a certification authority?!?
No one should have the private key of other parties, especially the Certificate Authority. Suppose the private key of a Certificate Authority is extracted. It is considered as a breach of security. This could cause a massive impact on the complete PKI system. The Certificate Authority should be rebuilt with the new private key. All the intermediate and Subordinate CA’s should be signed with the new CA’a certificate. It is a troublesome task to recover and make the PKI system back functional.
Thanks very much and it was very helpful me as well
Thanks, Raiska. Your feedback is precious to us.
That did not work.
Step 15 doesn't work because there is no private key. You can't select anything except the top three options in the export menu. I appreciate you trying to write this guide but it doesn't work.
Did you try this on the same machine on which you created CSR?
This does not make sense. Once we create a CSR where do we put it or where does it go?
You are absolutely correct. We would completely agree with your statement. Even pem certificates can also store the private key, however, the difference between the pem and the pfx certificates is pfx provides optional password protection. You can make the pfx certificate password protected in case of transfer over the wire. Let us know if this answer didn’t answer your query.
Thank you so much for writing this article. Very useful!
You are most welcome!.
Arun, great article. quick question for you. We need to install SSL certificate on IIS on a server. This is for our gateway. We have got the SSL certificate from godaddy.
Question: do we need to convert the certificate from *.cer to *.pfx format to install it on the server. and How do I do it.
Thanks in advance
If you want to install SSL certificate in PFX, you can ask Godaddy to provide the certificate in PFX. If they can’t provide you the certificate in PFX, then you should need to convert the certificate from CER to PFX. However, you should have the private key file with you to convert your CERT certificate to PFX format. If you don’t have the private key with you, the only option that you have left with is that, you should import the CERT certificate on the same server on which CSR has generated and export the certificate in PFX. You can export the certificate in PFX on a different server as well, but your PFX certificate will not be bundled with the private key.
If you have private key file, you can install openssl on your windows server and convert your certificate from CER to PFX using that openssl utility.
You can also use online tools to convert if don’t want to try openssl. But, we don’t recommend using online tools for production where you need to upload the private key to a third party server. it’s against the data security policy. Your private key can be compromised.
Godaddy won't provide certificates in PFX format. They kind of advised similar to what you advised, use OpenSSL.
Godaddy can’t provide PFX since they don’t store your private key. In this scenario, converting CER to PFX on the same Windows server (CSR created) is the best option for you. You should have the private key to use OpenSSL for the conversion.
Thanks Arun, in our case we have the PEM & CSR with us. Is it possible to create the PFX with these information without having to do it on the same server where the CSR was created?
It is possible to convert PEM or CSR to PFX on the same server on that CSR was created. If you need the certificate to be deployed on the non-windows platform, PEM alone works for you if it has the private key. If you want to deploy the certificate on Windows, then go for PFX.
We have followed your steps for some reason the certificate doesn’t show with a private key? we have been given a .cer file from GlobalSign but we can’t seem to convert the file to PFX as we need the private key which we don’t have?
Do we need to Ask GlobalSign for this?
The private key export option should be enabled in the certificate template of the GlobalSign CA server. Raise this query with them. They can fix your problem.