Different applications usually have different requirements on the key/certificate format they import and use. This guide contains steps for conversion between the most common formats, needed in SafeQ subsystems.

Conversion from the common PEM files (.crt and .key) to the Personal Information Exchange

Suppose you have a certificate (or a whole chain in one file, in case your certificate chain contains at least one certification authority) and private key in PEM format. Let's name the key file privatekey.key and certificate chain file certificatechain.crt.

In order to combine these two files into one Personal Information Exchange (usually .pfx or .p12 extension), run the following OpenSSL command:

openssl pkcs12 -export -in certificatechain.crt -inkey privatekey.key -out <path to your new .pfx file>

This command will ask for the password to the original privatekey.key file and for a new password, you want to use for your new Personal Information Exchange file protection. Then the .pfx file specified will be created.

Conversion from Personal Information Exchange to the common PEM files (.crt and .key)

Suppose you have a Personal Information Exchange (usually .pfx or .p12 extension) file, let's name it certificate.pfx. In order to export the private key and the certificate (or the whole chain in case your certificate chain contains at least one certification authority) to two distinct PEM files (.crt and .key extensions), run the following OpenSSL commands:

openssl pkcs12 -in certificate.pfx -nocerts -out <path to your new .key file>
openssl pkcs12 -in certificate.pfx -nokeys -out <path to your new .crt file>

The first command will ask for the password to the original certificate.pfx file and for a new password you want to use for protection of your new .key file containing exported private key. Then the .key file specified will be created.

The second one will similarly ask for the password to the original certificate.pfx file. Then it will create the .crt file containing exported certificate, or, in case your chain contains more certificates, all of them.

Conversion from Personal Information Exchange to Java Keystore

In order to convert certificate from Personal Information Exchange (usually .pfx or .p12) to the Java Keystore (extension .jks), run the following keytool (tool distributed along with Java ) command:

keytool -importkeystore -srckeystore <path to your .pfx or .p12 file> -srcstoretype pkcs12 -destkeystore <path to your new .jks file> -deststoretype JKS

This command will ask for the password to the original .pfx or .p12 file and for a new password you want use for your new Java keystore protection. Then the .jks file specified will be created.

Conversion from Java Keystore to Personal Information Exchange

In order to convert certificate from Java Keystore (extension .jks) to the Personal Information Exchange (usually .pfx or .p12), run the following keytool (tool distributed along with Java) command:

keytool -importkeystore -srckeystore <path to your .jks file> -srcstoretype JKS -destkeystore <path to your new .pfx file> -deststoretype pkcs12

This command will ask for password to the original Java keystore and for a new password you want to use for your new Personal Information Exchange file protection. Then the .pfx file specified will be created.

Conversion from P7B to the common PEM file

P7B is a file format for storage of certificate chains, without the corresponding private keys. This is a common format for Certification Authorities to deliver the signed certificates to requesters. However, many applications do not understand it. In order to convert .p7b certificate file to a more common PEM file, run the following OpenSSL command:

a) In case your .p7b file is in a binary form:

openssl pkcs7 -print_certs -inform DER -outform PEM -in certificate.p7b -out certificate.crt

b) In case your .p7b file is encoded using Base64:

openssl pkcs7 -print_certs -inform PEM -outform PEM -in certificate.p7b -out certificate.crt