Creating a PFX certificate from a PEM certificate including the CA Bundle

Most CA's (certificate authorities) will issue certificates (X.509) in the PEM format. But some platforms (for example Azure Application Gateway and IIS) require certificates to be uploaded in PKCS#12 format (also known as PFX).
In this guide we will convert a certificate from PEM format into a PFX/PKCS#12 format, ready to be used in a platform like application gateway or IIS.

First, we need three files in PEM format:

Certificates and CA-bundles usually have extensions .pem, .cert or .crt. Private keys usually use .pem or .key.

To do the conversion we are using openssl command. In this guide we will use openssl on Debian Linux, but you can also install openssl on Windows, Mac or run it on Windows WSL or in a Docker container.

Run the following command, replace the file names with your situation.

$ openssl pkcs12 -export -in certificate.pem -certfile cabundle.pem -inkey privatekey.pem -out certificateandkey.pfx

As you can see the -in argument points to the location of the certificate file. The -certfile points to the location of the CA Bundle, containing all the extra certificates. The -inkey argument point to the private key file. The -out argument tells openssl how to name the output file.

A important difference between PEM certificate files and PKCS#12/PFX files is that PFX files also contains the private key! So, keep your PKCS#12/PFX in a safe place together with your private key! It is possible to extract a private key from a PKCS#12/PFX file.

A few notes about the CA Bundle

All CA's have root certificates. These root certificates are loaded into your browser or computer (in the certificate store) and will verify if a certificate is signed by the CA.
When a CA issues a certificate, it is signed by the CA. Most CA's will not use their root certificate for signing but an intermediate certificate. This intermediate certificate is NOT bundled in your browser or computer but is signed with the root certificate by the CA.
Here is were the CA Bundle comes into play. Along with your certificate your platform is also sending the certificates from the CA Bundle to the client/browser.
The CA Bundle contains all the intermediate certificates for the browser or computer to create a signing-path between your certificate and the already known root certificate. Because the root certificate is already known by the browser or computer it is not necessary to have the root certificate included in the CA Bundle.

Example for a certificate chain of

The certificate for is signed by R3 and sent by the server
The certificate for R3 is signed by ISRG Root X1 and sent by the server
The certificate for ISRG Root X1 is in your browser or computer's certificatestore

06-02-2022 EN pfx pem cabundle ca-bundle certificates azure application gateway azure appgateway convert certificates pkcs#12
Deel via: LinkedIn Twitter