fbpx

How to Convert Windows PFX Certificate Files Into PEM Format for Use in Apache/NGINX on Linux

By Bobby Gill on July 12, 2021

A common task we have to perform is moving certificates around mixed platform environments, namely from Windows to Linux, or from Windows to Amazon Web Services (AWS). For example, you may have a certificate and private key installed on a Windows Server machine and used by IIS, but how do you export it so you can then use it within Apache or NGINX running on a Linux server? Or what about importing the certificate so you can use it to secure a HTTPs endpoint on AWS Application Load Balancer? In this post, I will show you very quickly how to export and transform a certificate used in Windows so that it can be used in non-Windows environments.

Pre-requisites

  • A Windows Server machine with an installed certificate and private key pair. The private key must have been imported and marked as Exportable, otherwise this tutorial will not work.
  • OpenSSL module installed for PowerShell

Export Certificate from Windows

1.) Open up the local machine Certificate Manager (run “certmgr” from the Windows Search box)

2.) Find your installed certificate within one of your local certificate stores, right click on it, go to All Tasks -> Export.

3.) This launches the “Certificate Export Wizard”. Within this, click Next and make sure to check the “Yes, export the private key” option.

4.) For the Export File Format, make sure to check “Personal Information Exchange – PKCS #12” and accept the default checked values underneath it.

5.) Set a password that will be used to protect the exported PFX file, note this down for later.

6.) Choose a file location and name, and hit “Finish”.

At this point you now have a .PFX file exported that contains both the public and private keys for the certificate we are looking to convert.

Convert PFX File Format to PEM Format

1.) Open up a PowerShell Command window.

2.) The first step is to export the private key from the PFX file, to do that type:

openssl pkcs12 -in <filename>.pfx -nocerts -out key.pem

This will ask you to input the password you set on the PFX file in Step 5 of the previous section. You will also be prompted to provide a new password for the generated key.pem file, just pick any password for now, we are going to remove it at the end of the tutorial.

3.) Next, we will export the certificate from the pfx file itself and put it into its own .PEM file:

openssl pkcs12 -in <filename>.pfx -clcerts -nokeys -out cert.pem

4.) Finally, we will take the output of step 2 and remove the passphrase from it:

openssl rds -in key.pem -out server.key

That’s it! The cert.pem file contains the public key of your certificate. The server.key contains the private key associated with that certificate.

Copy PEM and KEY Files to Linux

1.) Copy the cert.pem and server.key files to your Linux instance.

2.) Ensure the right permissions are set on both files:

  • Set the directory permission to 700.
  • Set the file permission on both the .pem and .key files to 600.
  • Ensure the directory and files themselves are owned by the root user.

3.) Modify Apache or NGINX configurations to reference the above copied files.

Import Certificates into Amazon Certificate Manager

If you are looking to use the certificate within AWS as a SSL certificate on a Application Load Balancer, then you will need to first import the certificates into Amazon Certificate Manager.

1.) Login into the Amazon Certificate Manager

2.) Click on Import Certificate

3.) In the box labelled “Certificate Body”, paste the contents of cert.pem file.

4.) In the box labelled “Certificate Private Key”, paste the contents of the server.key file.

5.) If there is an intermediate certificate authority used by your certificate then copy and paste the public key of any intermediate certificates into the Certificate Chain box.

6.) Modify your Application Load Balancer listener endpoints to use the certificate you imported in step 5.