• Home
  • |
  • Blog
  • |
  • Step By Step Procedure To Convert A CER Certificate To PFX Without The Private Key
Step by Step Procedure to Convert a CER Certificate to PFX Without the Private Key

Before jumping into the procedure to convert a CER certificate to PFX without the private key. Let’s understand the difference between the certificate formats.

You can always refer X.509 certificate Request for Comments (RFC) and X.509 articles to know about the digital certificates in depth. X.509 certificates come majorly in two formats: Base64 (ASCII) and Binary. Again there are two formats underneath Base64. They are PEM and PKCS#7. As like Base64, Binary has two formats too: DER and PKCS#12. Of all these certificate formats few of them come bundled with a private key and few are not. To tell in short, .cer, .crt, and .p7b formats necessarily don’t have the private key with them. Whereas .pfx is always bundled with a private key.

Most of the Certificate Authorities will not issue certificates with the private key. They just issue and share the certificates in .cer, .crt, and .p7b formats which don’t have the private key in most of the cases. But, your application needs the certificate in .pfx format. Now, you have a .cer certificate in your hand, but you need a .pfx certificate to deploy. And, you can’t convert the .cer certificate to .pfx without the private key. This problem has created confusion in most people and may create delays in the certificate deployment/renewal process.

We thought it is an excellent idea to address this common problem. So we are here to explain the complete step by step process to convert a CER Certificate to PFX Without the private key.

How To Convert A CER Certificate To PFX Without The Private Key?

The procedure is quite simple. You can convert a CER certificate to PFX without the private key in three simple steps. But, this process will require the machine on which you have created the CSR (Certificate Signing Request) Because the private key had been created during the CRS creation process. We are just using the previously create private key to convert the CER certificate to PFX. Bear in mind, this process will work only on Windows platform.

  1. Import the certificate chain to their respective stores.
  2. Open the certificate snap-in in the Windows MMC console.
  3. Export the certificate in .pfx from the MMC console.

Time needed: 5 minutes.

How to Convert a CER Certificate to PFX Without the Private Key?

  1. Import the certificate to its personal certificate store

    Right-click on the certificate file.
    Select install certificate.Install certificate

  2. Select Local Computer radio button

    Select local computer

  3. Select the default automatic store to import the certificate

    Select the certificate store to import the certificate

  4. Import the certificate

    Click Finish button to complete the import process.Import the certificate.

  5. Import process complets.

    Wait for a while until you see a successful message.
    Certificate Import Successful

  6. Open MMC in Windows server

    Hit Win + R to open the Run utility
    Type mmc in the box.
    Press Ok.
    Open mmc in Windows Server

  7. Add Certificate Snap-in

    Go to File > Add/Remove Snap-in..Add Certificate Snap-in

  8. Select Certificates and press Add

    Certificate Snap-in

  9. Select the User or Computer Certificate snap-in

    Select the snap-in which you want to create the certificate. For demonstration we are choosing Compute account.
    Click Next.
    Select Computer account

  10. Select Local Computer

    Select local computer as you are going to create CSR on the same computer.
    Click Finish.Select Local Computer

  11. Select Certificate (Local Computer) and click Ok

    Select Local Computer snap-in

  12. Load MMC

    You will see the certificate in the personal store.MMC Console

  13. Export the Certificate
    Right Click on the Certificate
    Select All Tasks -> Export

    Export the certificate

  14. Certificate Export Wizard

    Click Next in the Certificate Export WizardCertificate Export Wizard

  15. Export the Private Key

    Select the radio button ‘yes, export the private key’
    Click Next
    Export the private key

  16. Export pfx certificate

    Select PFX radio button.
    Three options are available to select during the export. Select the one which you need.
    Click NextExport pfx certificate

  17. Select Security options to export the pfx certificate.

    (Optional) Select the Group or user name of your choice if you want to set the permissions to manage the certificate.
    Select a password and enter the password to encrypt the certificate.
    Note: It is mandated to select the password. It is recommended to secure the private key.Select security options to export the certificate

  18. Provide the location to save the pfx Certificate.

    Browse the location where you want to save the pfx certificate
    Click NextSave pfx certificate

  19. Finish to export the pfx certificate

    Finish to export the pfx certificate

This complete the procedure to convert a CER certificate to PFX without the private key.

Thanks for reading this article. Please read more such interesting articles and keep support us.

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

  1. So what is the process or can you show me the process of creating a CSR on the local machine so I can go ahead and create the pfx.

    1. Hello Gürcan,

      No one should have the private key of other parties, especially the Certificate Authority. Suppose the private key of a Certificate Authority is extracted. It is considered as a breach of security. This could cause a massive impact on the complete PKI system. The Certificate Authority should be rebuilt with the new private key. All the intermediate and Subordinate CA’s should be signed with the new CA’a certificate. It is a troublesome task to recover and make the PKI system back functional.

  2. Step 15 doesn't work because there is no private key. You can't select anything except the top three options in the export menu. I appreciate you trying to write this guide but it doesn't work.

        1. Hello Michael,

          You are absolutely correct. We would completely agree with your statement. Even pem certificates can also store the private key, however, the difference between the pem and the pfx certificates is pfx provides optional password protection. You can make the pfx certificate password protected in case of transfer over the wire. Let us know if this answer didn’t answer your query.

  3. Arun, great article. quick question for you. We need to install SSL certificate on IIS on a server. This is for our gateway. We have got the SSL certificate from godaddy.

    Question: do we need to convert the certificate from *.cer to *.pfx format to install it on the server. and How do I do it.

    Thanks in advance

    1. Hi Tanweer,

      If you want to install SSL certificate in PFX, you can ask Godaddy to provide the certificate in PFX. If they can’t provide you the certificate in PFX, then you should need to convert the certificate from CER to PFX. However, you should have the private key file with you to convert your CERT certificate to PFX format. If you don’t have the private key with you, the only option that you have left with is that, you should import the CERT certificate on the same server on which CSR has generated and export the certificate in PFX. You can export the certificate in PFX on a different server as well, but your PFX certificate will not be bundled with the private key.

      If you have private key file, you can install openssl on your windows server and convert your certificate from CER to PFX using that openssl utility.

      You can also use online tools to convert if don’t want to try openssl. But, we don’t recommend using online tools for production where you need to upload the private key to a third party server. it’s against the data security policy. Your private key can be compromised.


        1. Godaddy can’t provide PFX since they don’t store your private key. In this scenario, converting CER to PFX on the same Windows server (CSR created) is the best option for you. You should have the private key to use OpenSSL for the conversion.

  4. Hi Arun

    We have followed your steps for some reason the certificate doesn’t show with a private key? we have been given a .cer file from GlobalSign but we can’t seem to convert the file to PFX as we need the private key which we don’t have?

    Do we need to Ask GlobalSign for this?

    Kind Regards

    1. The private key export option should be enabled in the certificate template of the GlobalSign CA server. Raise this query with them. They can fix your problem.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.