Creating a PFX certificate from a PEM certificate including the CA Bundle
Most CA's (certificate authorities) will issue certificates (X.509) in the PEM format. But some platforms (for example Azure Application Gateway and IIS) require certificates to be uploaded in PKCS#12 format (also known as PFX).
In this guide we will convert a certificate from PEM format into a PFX/PKCS#12 format, ready to be used in a platform like application gateway or IIS.
First, we need three files in PEM format:
- The certificate
- The private key in PEM format
- The CA Bundle (containing intermediate certificates and sometime the root certificates)
Certificates and CA-bundles usually have extensions .pem, .cert or .crt. Private keys usually use .pem or .key.
To do the conversion we are using
In this guide we will use openssl on Debian Linux, but you can also install openssl on Windows, Mac or run it on Windows WSL or in a Docker container.
Run the following command, replace the file names with your situation.
$ openssl pkcs12 -export -in certificate.pem -certfile cabundle.pem -inkey privatekey.pem -out certificateandkey.pfx
As you can see the -in argument points to the location of the certificate file.
The -certfile points to the location of the CA Bundle, containing all the extra certificates.
The -inkey argument point to the private key file.
The -out argument tells openssl how to name the output file.
A important difference between PEM certificate files and PKCS#12/PFX files is that PFX files also contains the private key!
So, keep your PKCS#12/PFX in a safe place together with your private key!
It is possible to extract a private key from a PKCS#12/PFX file.
A few notes about the CA Bundle
All CA's have root certificates. These root certificates are loaded into your
browser or computer (in the certificate store) and will verify if
a certificate is signed by the CA.
When a CA issues a certificate, it is signed by the CA. Most CA's will not use
their root certificate for signing but an intermediate certificate. This
intermediate certificate is NOT bundled in your browser or computer but is signed with the root certificate by the CA.
Here is were the CA Bundle comes into play. Along with your certificate your
platform is also sending the certificates from the CA Bundle to the client/browser.
The CA Bundle contains all the intermediate certificates for the browser or
computer to create a signing-path between your certificate and the already known root certificate.
Because the root certificate is already known by the browser or computer
it is not necessary to have the root certificate included in the CA Bundle.
Example for a certificate chain of www.maartendekeizer.nl
The certificate for www.maartendekeizer.nl is signed by R3 and sent by the server
The certificate for R3 is signed by ISRG Root X1 and sent by the server
The certificate for ISRG Root X1 is in your browser or computer's certificatestore