Skip to main content

Convert PFX to PEM

The Nomadesk Private Cloud Software Appliance expects a certificate in PEM format.
Follow the steps below to convert a pfx file to the public and private keys the installer expects.

Using OpenSSL

Below you can find a script that converts a PFX format to PEM with the full chain included.
The steps are explained below in case you want to manually run the openssl commands:

#!/bin/bash
#
# Usage:
# ./convert.sh my_pfx_file.pfx
# 
pfx=$1
filename=cert

if [ -z "$pfx" ];
then
  echo "ERROR: no file provided"
  exit 1
fi

if [ ! -f "$pfx" ];
then
  echo ERROR: file does not exist
  exit 1
fi

# step 1
echo "> Extracting certificate authority..."
echo ">   Enter the password if your certificate is password protected"

openssl pkcs12 -in "${pfx}" -nodes -nokeys -cacerts -out "${filename}-ca.crt"
echo "done"
echo " "

# step 2
echo "> Extracting public key..."
echo ">   Enter the password if your certificate is password protected"
openssl pkcs12 -in "${pfx}" -clcerts -nokeys -out "${filename}.crt"
echo "> Combining ca-certs with crt file..."

# combine ca and cert files to create the full chain
cat "${filename}.crt" "${filename}-ca.crt" > "${filename}-fullchain.crt"

rm -f "${filename}.crt" "${filename}-ca.crt"

# step 3
echo "> Extracting key file..."
echo ">   Enter the password if your private key is password protected"
echo ">   For the PEM pass phrase, enter a new password, this is required, in a later step this will be stripped again"
openssl pkcs12 -in "${pfx}" -nocerts -out "${filename}.key"
echo "done!"
echo " "

# step 4
echo "> Removing passphrase from private key"
echo ">   Enter the PEM password provided in the step above"
openssl rsa -in "${filename}.key" -out "${filename}.key"
echo "done!"

echo " "

echo "Conversion complete 🎉"
echo "Created files:"
echo " 🔒  ${filename}.key"
echo " 🔑  ${filename}-fullchain.crt"

Manually Running the Commands

Using openssl the full chain certificate can be extracted.

Extract the Certificate Authority first:

openssl pkcs12 -in "my.pfx" -nodes -nokeys -cacerts -out "cert-ca.crt"

Now extract the certificate itself:

openssl pkcs12 -in "my.pfx" -clcerts -nokeys -out "cert.crt"

Combine the two so that a full chain certificate is created:

cat "cert.crt" "cert-ca.crt" > "cert-fullchain.crt"
warning

Ordering for the certificate and certificate authority matters

Now extract the private key:

openssl pkcs12 -in "my.pfx" -nocerts -out "cert.key"

Enter the password that your pfx file is protected with if any.
OpenSSL will ask for a PEM password, make sure to fill this in, this is required.

To remove the password from the private key again, run:

openssl rsa -in "cert.key" -out "cert.key"

The end result is now two files:

  • cert-fullchain.crt: this is the public key
  • cert.key: this is the private key