How to convert a TLS certificate to PFX PKCS12 format

Table of Contents

Case #

You have a custom TLS certificate from a Certificate Authority (CA) in PEM, CER, CRT or other compatible format. You need to convert this certificate to PFX format also known as PKCS12 format.

Solution #

The PFX/PKCS12 format includes the certificate private key. In order to convert your original certificate to PFX format you need the following files:

  • Your original TLS certificate as provided by your CA.
  • Certificate private key file (.txt or .key format)
  • Your CA certificate authority intermediate certificate (in per or cer/crt format). In order to identify what your CA intermediate certificate is, there are basically two options:
    • If your original certificate is in CER/CRT format, you can easily import this certificate in the Windows/Linux/MacOS certificate store and inspect the certificate chain.
  • If your original certificate is in PEM format you should use a tool such as GNU Kleopatra to open the pem file and inspect the certificate hierarchy as in the example below.

After having determined what your CA intermediate certificates are, navigate to the CA website and search for these publicly available intermediate certificates. One good example of this is Digicert website:

You should normally not need the CA root certificate for most modern certificates, but it's a good idea to download the CA root as well, just in case you need it in legacy systems and clients which dont have an up to date CA hierarchy certificate store by default.

After you have gathered all the above certificate files, you have two options:

Sources #

Powered by BetterDocs