• Home
  • |
  • Blog
  • |
  • Step by Step Procedure to Convert a CER Certificate to PFX Without the Private Key
Step by Step Procedure to Convert a CER Certificate to PFX Without the Private Key

Before jumping into the procedure to convert a CER certificate to PFX without the private key. Let’s understand the difference between the certificate formats.

You can always refer X.509 certificate Request for Comments (RFC) and X.509 articles to know about the digital certificates in depth. X.509 certificates come majorly in two formats: Base64 (ASCII) and Binary. Again there are two formats underneath Base64. They are PEM and PKCS#7. As like Base64, Binary has two formats too: DER and PKCS#12. Of all these certificate formats few of them come bundled with a private key and few are not. To tell in short, .cer, .crt, and .p7b formats necessarily don’t have the private key with them. Whereas .pfx is always bundled with a private key.

Most of the Certificate Authorities will not issue certificates with the private key. They just issue and share the certificates in .cer, .crt, and .p7b formats which don’t have the private key in most of the cases. But, your application needs the certificate in .pfx format. Now, you have a .cer certificate in your hand, but you need a .pfx certificate to deploy. And, you can’t convert the .cer certificate to .pfx without the private key. This problem has created confusion in most people and may create delays in the certificate deployment/renewal process.

We thought it is an excellent idea to address this common problem. So we are here to explain the complete step by step process to convert a CER Certificate to PFX Without the private key.

How to Convert a CER Certificate to PFX Without the Private Key?

The procedure is quite simple. You can convert a CER certificate to PFX without the private key in three simple steps. But, this process will require the machine on which you have created the CSR (Certificate Signing Request) Because the private key had been created during the CRS creation process. We are just using the previously create private key to convert the CER certificate to PFX. Bear in mind, this process will work only on Windows platform.

  1. Import the certificate chain to their respective stores.
  2. Open the certificate snap-in in the Windows MMC console.
  3. Export the certificate in .pfx from the MMC console.

Time needed: 5 minutes.

How to Convert a CER Certificate to PFX Without the Private Key?

  1. Import the certificate to its personal certificate store

    Right-click on the certificate file.
    Select install certificate.Install certificate

  2. Select Local Computer radio button

    Select local computer

  3. Select the default automatic store to import the certificate

    Select the certificate store to import the certificate

  4. Import the certificate

    Click Finish button to complete the import process.Import the certificate.

  5. Import process complete.

    Wait for a while until you see a successful message.
    Certificate Import Successful

  6. Open MMC in Windows server

    Hit Win + R to open the Run utility
    Type mmc in the box.
    Press Ok.
    Open mmc in Windows Server

  7. Add Certificate Snap-in

    Go to File > Add/Remove Snap-in..Add Certificate Snap-in

  8. Select Certificates and press Add

    Certificate Snap-in

  9. Select the User or Computer Certificate snap-in

    Select the snap-in which you want to create the certificate. For demonstration we are choosing Compute account.
    Click Next.
    Select Computer account

  10. Select Local Computer

    Select local computer as you are going to create CSR on the same computer.
    Click Finish.Select Local Computer

  11. Select Certificate (Local Computer) and click Ok

    Select Local Computer snap-in

  12. Load MMC

    You will see the certificate in the personal store.MMC Console

  13. Export the Certificate
    Right Click on the Certificate
    Select All Tasks -> Export

    Export the certificate

  14. Certificate Export Wizard

    Click Next in the Certificate Export WizardCertificate Export Wizard

  15. Export the Private Key

    Select the radio button ‘yes, export the private key’
    Click Next
    Export the private key

  16. Export pfx certificate

    Select PFX radio button.
    Three options are available to select during the export. Select the one which you need.
    Click NextExport pfx certificate

  17. Select Security options to export the pfx certificate.

    (Optional) Select the Group or user name of your choice if you want to set the permissions to manage the certificate.
    Select a password and enter the password to encrypt the certificate.
    Note: It is mandated to select the password. It is recommended to secure the private key.Select security options to export the certificate

  18. Provide the location to save the pfx Certificate.

    Browse the location where you want to save the pfx certificate
    Click NextSave pfx certificate

  19. Finish to export the pfx certificate

    Finish to export the pfx certificate

See Also  How To Fix CVE-2022-20777- A Critical Guest Escape Vulnerability In Cisco NFVIS

This complete the procedure to convert a CER certificate to PFX without the private key.

Thanks for reading this article. Please read more such interesting articles and keep support us.

Frequently Asked Questions:

1. What is a .cer certificate?

A .cer certificate is a digital certificate file that uses the X.509 standard to define the structure and contents of public key certificates. The .cer file format is primarily used in Microsoft Windows environments and contains information about the certificate owner, the certificate issuer, the certificate’s public key, and other relevant details.

2. What is a .pfx certificate?

A .pfx certificate is a digital certificate file format that combines the public key certificate (typically a .cer or .crt file) with its associated private key, and optionally, any intermediate certificates, into a single encrypted file. The .pfx format is commonly used in Microsoft Windows environments for importing and exporting certificates and private keys.

3. Can I convert a .cer certificate to a .pfx certificate without the private key?

No, you cannot convert a .cer certificate to a .pfx certificate without the associated private key. A .pfx file requires the private key to be bundled with the public key certificate, providing a complete cryptographic identity for the certificate owner. Without the private key, a .pfx file cannot be created.

4. Why do I need the private key to create a .pfx file?

The private key is an essential part of the cryptographic identity represented by a digital certificate. It is used for secure communication, data encryption, and digital signatures. When you create a .pfx file, you are bundling the certificate’s public key and its associated private key into a single file. This provides a convenient way to export and import the complete certificate identity, including the private key, between systems and applications.

5. I lost my private key. What should I do?

If you lost your private key, you cannot recover it, nor can you create a .pfx file using your existing .cer certificate. In this case, you should generate a new key pair, create a new Certificate Signing Request (CSR), and request a new certificate from your Certificate Authority (CA). Once you receive the new certificate, ensure that you securely back up your private key to avoid losing it again.

6. How do I create a .pfx file if I have both the .cer certificate and the private key?

If you have both the .cer certificate and the private key, you can use the OpenSSL command-line tool to create a .pfx file. The following command shows how to create a .pfx file using a .cer certificate and a private key:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.cer

Replace privateKey.key with your private key file and certificate.cer with your .cer certificate file. This command will prompt you to set a password for the .pfx file. Remember this password, as you will need it when importing the .pfx file into other systems or applications.

See Also  Step-By-Step Procedure To Install CentOS Linux On VMWare Workstation
7. Can I use the .cer certificate directly without converting it to a .pfx file?

Yes, you can use the .cer certificate directly in some cases, depending on the application or system requirements. However, some systems and applications require a .pfx file, which includes both the certificate and its associated private key. Check the documentation of the system or application you are using for specific requirements regarding certificate formats.

8. How can I check if my .cer certificate file contains the private key?

A .cer certificate file typically does not contain the private key. However, you can verify the contents of the .cer file using the OpenSSL command-line tool with the following command:

openssl x509 -in certificate.cer -text -noout

Replace certificate.cer with your .cer certificate file. If the file contains only the public key certificate, you will see information about the certificate owner, issuer, validity period, and public key. If the file also contains the private key, you will see additional information about the private key, but this is unlikely for a .cer file.

9. Is there any security risk in converting a .cer certificate to a .pfx file?

There is no inherent security risk in converting a .cer certificate to a .pfx file as long as you follow best practices for handling private keys. When creating a .pfx file, make sure to:

1. Set a strong password for the .pfx file to protect the bundled private key.
2. Store the .pfx file securely and restrict access to authorized users only.
3. Never share the .pfx file or its password with unauthorized parties.

Remember that the private key is a sensitive piece of information that must be protected, as unauthorized access to the private key could compromise the security of the associated certificate.

10. How do I import a .pfx file into my system or application?

The process of importing a .pfx file varies depending on the system or application you are using. Generally, you will need to access the appropriate configuration settings or management console for your system or application, and then follow the steps for importing a certificate or a private key. You will need to provide the .pfx file and the password you set when creating the file. For specific instructions, consult the documentation of the system or application you are using.

11. Can I convert a .pfx file back to a .cer file and separate private key?

Yes, you can convert a .pfx file back to a .cer file and separate private key using the OpenSSL command-line tool. To extract the certificate, use the following command:

openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.cer

To extract the private key, use this command:

openssl pkcs12 -in certificate.pfx -nocerts -nodes -out privateKey.key

Replace certificate.pfx with your .pfx file, certificate.cer with the desired output .cer file, and privateKey.key with the desired output private key file. You will be prompted to enter the password for the .pfx file.

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

  1. So what is the process or can you show me the process of creating a CSR on the local machine so I can go ahead and create the pfx.

    1. Hello Gürcan,

      No one should have the private key of other parties, especially the Certificate Authority. Suppose the private key of a Certificate Authority is extracted. It is considered as a breach of security. This could cause a massive impact on the complete PKI system. The Certificate Authority should be rebuilt with the new private key. All the intermediate and Subordinate CA’s should be signed with the new CA’a certificate. It is a troublesome task to recover and make the PKI system back functional.

  2. Step 15 doesn't work because there is no private key. You can't select anything except the top three options in the export menu. I appreciate you trying to write this guide but it doesn't work.

        1. Hello Michael,

          You are absolutely correct. We would completely agree with your statement. Even pem certificates can also store the private key, however, the difference between the pem and the pfx certificates is pfx provides optional password protection. You can make the pfx certificate password protected in case of transfer over the wire. Let us know if this answer didn’t answer your query.

  3. Arun, great article. quick question for you. We need to install SSL certificate on IIS on a server. This is for our gateway. We have got the SSL certificate from godaddy.

    Question: do we need to convert the certificate from *.cer to *.pfx format to install it on the server. and How do I do it.

    Thanks in advance

    1. Hi Tanweer,

      If you want to install SSL certificate in PFX, you can ask Godaddy to provide the certificate in PFX. If they can’t provide you the certificate in PFX, then you should need to convert the certificate from CER to PFX. However, you should have the private key file with you to convert your CERT certificate to PFX format. If you don’t have the private key with you, the only option that you have left with is that, you should import the CERT certificate on the same server on which CSR has generated and export the certificate in PFX. You can export the certificate in PFX on a different server as well, but your PFX certificate will not be bundled with the private key.

      If you have private key file, you can install openssl on your windows server and convert your certificate from CER to PFX using that openssl utility.

      You can also use online tools to convert if don’t want to try openssl. But, we don’t recommend using online tools for production where you need to upload the private key to a third party server. it’s against the data security policy. Your private key can be compromised.


        1. Godaddy can’t provide PFX since they don’t store your private key. In this scenario, converting CER to PFX on the same Windows server (CSR created) is the best option for you. You should have the private key to use OpenSSL for the conversion.

          1. Thanks Arun, in our case we have the PEM & CSR with us. Is it possible to create the PFX with these information without having to do it on the same server where the CSR was created?

          2. Hello Saravanan,

            It is possible to convert PEM or CSR to PFX on the same server on that CSR was created. If you need the certificate to be deployed on the non-windows platform, PEM alone works for you if it has the private key. If you want to deploy the certificate on Windows, then go for PFX.

  4. Hi Arun

    We have followed your steps for some reason the certificate doesn’t show with a private key? we have been given a .cer file from GlobalSign but we can’t seem to convert the file to PFX as we need the private key which we don’t have?

    Do we need to Ask GlobalSign for this?

    Kind Regards

    1. The private key export option should be enabled in the certificate template of the GlobalSign CA server. Raise this query with them. They can fix your problem.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.