Convert pfx to pem - ssl

I know there are many commands (openssl) to export pfx to pem BUT I need one thing different: I need to export the public key to a pem file and the private key to another file. Most of the commands and sites (some sites convert the pfx format to anyone I need) will only generate a single *.pem file.
Thanks.

Meta: this isn't a programming or development question, and will likely be closed as offtopic.
If you want the privatekey and the certificate (which contains the publickey but is not the publickey as such), this is a dupe of several questions in other Stacks where it is ontopic, including at least:
https://security.stackexchange.com/questions/3779/how-can-i-export-my-private-key-from-a-java-keytool-keystore/
https://serverfault.com/questions/715827/how-to-generate-key-and-crt-file-from-jks-file-for-httpd-apache-server
https://serverfault.com/questions/806141/is-the-alert-ssl3-read-bytessslv3-alert-bad-certificate-indicating-that-the-s (disclosure: my answer)
Alternatively since PEM files are structured text, you can parse the output of a single pkcs12 command by any number of text-handling programs such as awk:
openssl pkcs12 <p12 | awk '/-BEGIN ENC/,-END ENC/{print >"privkey"} \
/-BEGIN CERT/,/-END CERT/{if(!n)print >"cert"} /-END CERT/{n++}'
# for unencrypted privatekey add -nodes and select BEGIN/END PRIV
If you truly want the publickey, you can create it in algorithm-generic X.509 SubjectPublicKeyInfo form, from either the privatekey or the certificate:
# from the certificate
openssl x509 <certfile -noout -pubkey >pubkey
openssl pkcs12 <p12file -nokeys -clcerts | openssl x509 -noout -pubkey >pubkey
# from the privatekey
openssl pkey <privkey -pubout >pubkey
openssl pkcs12 <p12file -nocerts -nodes | openssl pkey -pubout >pubkey
This format is used by some OpenSSL functions (which calls it PUBKEY to distinguish from the several algorithm-specific PublicKey's), and low-level Java (which calls it X509EncodedKeySpec), and pretty much nothing else. Note systems using the bare public key are often insecure; that's exactly why most systems embed the publickey in a certificate.
If the key is RSA and you want the algorithm-specific (PKCS1 RSAPublicKey) format, in OpenSSL 1.1.0 (and presumably up) then use:
# from the SPKI publickey as above
openssl rsa <RSApub_spki [-inform DER] -pubin -RSAPublicKey_out [-outform DER] >RSApub_pkcs1
# from the privatekey
openssl rsa <RSAprivate [-inform DER] -RSAPublicKey_out [-outform DER] >RSApub_pkcs1
This is used rarely by a few OpenSSL functions and AFAIK nothing else; see caveat above.

Related

Fingerprint of certificate request (CSR)

I've a certificate request (see bottom) of which I'd like get fingerprint preferably from command-line (Unix). If my goal was only to verify integrity of a PEM file on two machines I could just use e.g. sha256sum csr.pem value but I'd like to get the same fingerprint as Puppet does:
puppet:~# puppetserver ca list --all
Requested Certificates:
testbox (SHA256) 7C:8C:A2:2C:17:42:C1:B9:55:A0:1D:EE:0D:C1:B0:65:B0:B4:AF:83:68:77:A8:0D:C4:6C:B1:41:25:FF:E7:C2
This fingerprint value is printed on both testbox and puppet machines when bootstrapping testbox and only thing they both share is the CA certificate (private key of which is stored on puppet). So the algorithm shouldn't require any private keys on input.
I assume the algorithm is standard, but I don't know cryptographic formats and openssl enough to figure out how to get it, and I'd specifically like to use openssl or some other widely available command line utility (i.e. not Ruby).
One of my failed attempts:
testbox:~# openssl x509 -fingerprint -in /etc/puppetlabs/puppet/ssl/certificate_requests/testbox.pem
unable to load certificate
139644407518336:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Here's the actual certificate request:
testbox:~# cat /etc/puppetlabs/puppet/ssl/certificate_requests/testbox.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIEVzCCAj8CAQAwEjEQMA4GA1UEAwwHdGVzdGJveDCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBAKAT6FPs6RkT30lnNk0wpfhLtjrrAr/YdyDCUVTjV5jL
23iuLLSHes7yog/gACitGqCOnSz7J95OUtfGV+ACV8AEcyNpQazOqHhcLh15CYa7
8fDyVsoLzHWUKDMXhNllYrJFOoEDU/IP/y5hdS6e56pPZCVwYRxg9pjtvOX/FyUA
vXFA94IvqAgR2HdD7Vbr11mSmVNJuP9bWimhizvpzG4g3Xacvz7BhEZC5v/tIuH6
zaQtKCoBoxTFQhlFhY1F0iIMIjbTFTUuzPjCh5pMhXMxm0rgpH0SkvJp8bzesCGX
34JIDCOo6R197IttvbPh+6J91nMReOrYl4WAIMFHMz9L2dEClKbT0qWKjTHSUB6E
Pkia6d/gQzM4UcfP2NGAPnaWv3HZJPy6LnOHFoaxkfiMVGMlKISqF8cbkhGEneX0
V3Q8z60BAdr1q2i2rmPQkhp0MLwCoOzEcH13I43GhZuF/V6YbBcLt0UcEI0DC+VR
vP1sIFXj/BzQkITgzE9q067vRtgYVb85CtfESvSbLdci8noPz076wuaiRme8qzHM
SovvAcq6QGPKaB7K7veKAUW7riOaXHRzR6WAxE2t4WlZDmT/9liLPlxT38Mbl2LE
mVRPNvb1IUyWY5SoE4Dl/9ZNMlIReMrT/XVD/Udt5zOlKxica2wSHPIRyBDm5ah9
AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAAkqLZQQGf8cHPqX+MWmMu42sHETv
CSqRvKM1oLcli4OCPF15axLNUAXg7+wSPOLfUkznkqukSs+ZZKoKex232ZesrDRn
IG1kkVrYRWAO6kgHHTnQJx0HOawny1OObfIlkbq/PSiprlPK5OfjyTgjK4oIDqIy
50Vifqv2akgW4/HirgUe54dILuXRlntFJtDXyanMHcRhg/Vy+I7hfIbimuBoIWuF
Z/ULNcj25+/m0VjAYNJ4gkV/TgIcWhmRLvq7AFeFo3tmEsmrbnXJnBnt1RCpAOY4
CF3T5etAsG+6JfQ/erY3Kh6sGK5XOvLSQ6SautW8DzSGCV8XKv9jQYlbM/4c3HwX
4vzIxYueW+u2MlfJZcYfkr8RK9bmk4mJCa63AK3VgRtQK21IJqNOR9lgiP202b+T
9o8CmT+rxAnEZHIr9j2nDjPlaR63lAWpSKsS/HxXr6wh2JS/34+YuhbvZlSrxYoR
D8Ta3fZYkIX7aCEziSNqRgZgz+VGroxrQCjdvTYRzr2G6LUVrr0D4dUJnBt1DhZO
klV+pv2tFl5q9szTuu0dkLNyPYFOTjCTD3GxpsuMwmONMAzsMUT+ouLVoklmXxim
Ah3ZrRv4O/hnjRZM0+tV498b4G8ZZmyp80K1CTQwLJNewpk9n2I2K7RVGFtyXa9M
irfOVbUQKaBTrqg=
-----END CERTIFICATE REQUEST-----
If my goal was only to verify integrity of a PEM file on two machines I could just use e.g. sha256sum csr.pem value but I'd like to get the same fingerprint as Puppet does
The general notion of the fingerprint/thumbprint of a certificate is a digest of the DER-encoded (binary) representation of the certificate. You can do this with the openssl x509 command directly... or indirectly:
$ openssl x509 -in test.cer -noout -sha256 -fingerprint
SHA256 Fingerprint=3E:A9:CB:54:36:DB:CF:23:50:D1:6B:D8:06:25:DC:0E:37:23:3E:A7:50:A5:D1:F3:05:0F:26:33:4E:F8:66:7C
$ openssl x509 -in test.cer -outform der | sha256sum
3ea9cb5436dbcf2350d16bd80625dc0e37233ea750a5d1f3050f26334ef8667c -
So the algorithm shouldn't require any private keys on input.
That is correct.
One of my failed attempts:
testbox:~# openssl x509 -fingerprint -in /etc/puppetlabs/puppet/ssl/certificate_requests/testbox.pem
Because the fingerprint/thumbprint is the digest of the signed certificate, it cannot be determined from the request. (The certificate has its validity information, the CA identifier, and the CA's signature... and probably extensions not present in the request.)
If you're trying to match a certificate to a certificate request, the only thing they're really guaranteed to have in common is the public key. If the -pubkey outputs match they're the same.
$ openssl req -in test.csr -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBJDANBgkqhkiG9w0BAQEFAAOCAREAMIIBDAKCAQEAr4HBy9ggP2JKU57WYIF1
NyOTooN9SJDkihne02lzEVYglo1r4NPao4qnd74C7gtrk7ck6NzBK2MrT6gLvJJb
zmJPTKfMYGMGs5QD4oyTLSTdVG/+TvajfxB3CyIV6oy7W/Qn6MTYm3nrM4N1EAxf
g+Vd6bRGbd++7kJTmu8z7xh7d2DDsaGyEDwtgURWSgwQOaCchc9rWXTrUW/I1mI8
lK46WguztMeSlX1DI5FWbPPipSr7DBQrngaBuJcmca8rgt05Cjm5Oc9xlWhofkmQ
pjBQyndo3NazeIQvGP2x9tn/CWuve+uY3Pkw1m/P1QP1jUG/9GIS4k46/EXqQr2I
RwIFAgAABEE=
-----END PUBLIC KEY-----
$ openssl x509 -in test.cer -pubkey -noout
-----BEGIN PUBLIC KEY-----
MIIBJDANBgkqhkiG9w0BAQEFAAOCAREAMIIBDAKCAQEAr4HBy9ggP2JKU57WYIF1
NyOTooN9SJDkihne02lzEVYglo1r4NPao4qnd74C7gtrk7ck6NzBK2MrT6gLvJJb
zmJPTKfMYGMGs5QD4oyTLSTdVG/+TvajfxB3CyIV6oy7W/Qn6MTYm3nrM4N1EAxf
g+Vd6bRGbd++7kJTmu8z7xh7d2DDsaGyEDwtgURWSgwQOaCchc9rWXTrUW/I1mI8
lK46WguztMeSlX1DI5FWbPPipSr7DBQrngaBuJcmca8rgt05Cjm5Oc9xlWhofkmQ
pjBQyndo3NazeIQvGP2x9tn/CWuve+uY3Pkw1m/P1QP1jUG/9GIS4k46/EXqQr2I
RwIFAgAABEE=
-----END PUBLIC KEY-----
While I don't have an example offhand, just because they don't match doesn't mean they're different. This is because some algorithms, such as RSA, there are multiple different legal encodings for the key in SubjectPublicKeyInfo and the CA could re-normalize when signing the certificate.
For RSA you could open it with the openssl rsa command and then let OpenSSL re-normalize it (when writing it back out it won't remember which of the two representations were used)
$ openssl req -in test.csr -pubkey -noout | openssl rsa -pubin -outform der | sha256sum
writing RSA key
3305c9f5c37cb13c152d087eea65ce1af3f0f846b309cb0426f1f42ae5fcbae0 -
$ openssl x509 -in test.cer -pubkey -noout | openssl rsa -pubin -outform der | sha256sum
writing RSA key
3305c9f5c37cb13c152d087eea65ce1af3f0f846b309cb0426f1f42ae5fcbae0 -
IMHO, the answer of bartonjs didn't really answer woky's original question:
I've a certificate request (see bottom) of which I'd like get fingerprint preferably from command-line (Unix). [...] I'd like to get the same fingerprint as Puppet does
So the question was, how to get the same fingerprint of the CSR as puppet does internally.
This command should do the "magic" generating the same fingerprint.
openssl req -in /etc/puppetlabs/puppet/ssl/certificate_requests/testbox.pem -outform der | sha256sum | awk '{ print $1 }' | sed 's/\(..\)/\1:/g; s/:$//; s/./\U&/g;'
awk limits output to the sha256 string and sed re-formats the string (insert colons, all letters capital, remove ending colon). This will give you a representation of the CSR fingerprint how puppet outputs it.
Note: I haven't been able to generate the same fingerprint as woky provided in his initial question using his CSR. But I'm able to reconstruct a correct fingerprint with any CSR I generate my self, so I'd guess woky's CSR doesn't match the fingerprint provided in the question.
This is an modification of lars answer:
openssl req -in ./kontrollant.ca.csr.pem -outform DER|openssl dgst -sha256 -c
Though this gives the checksum in lower case, so awk or tr is possibilities
openssl req -in ./kontrollant.ca.csr.pem -outform DER|openssl dgst -sha256 -c|tr '[:lower:]' '[:upper:]'
Would be how i now would do this (i use the '-c' argument to openssl dgst's sha256)
Another method could be:
openssl req -in ./kontrollant.ca.csr.pem -outform DER|openssl dgst -sha256|awk '{ gsub(/../,"&:", $2); gsub(/:$/,"", $2); print upper($2) }'

How to validate PFX with public-key privacy/integrity mode

I have a piece of embedded software generating P12/PFX formatted output data.
The PFX is not password protected, that means instead of using a password-derived encryption/mac key the data is encrypted with a public key and signed with my private key.
In RFC7292 section 3.1 this is called public-key privacy and integrity modes.
My question is, how can I validate the PFX I receive, e.g. using openssl? (I'm not restricted to use openssl, by the way I google'd around but could not find a way...)
I tried
openssl pkcs12 -info -in test.pfx
but openssl requests a password, which is not applicable here. Did I miss any option to not being asked for a password?
openssl pkcs12 -info -in test.pfx -passin pass: -passout pass:
Alternatively, you can just use
openssl pkcs12 -info -in test.pfx
and when it asks for Import Password or PEM Pass Phrase (and you didn't use any while generating the pfx file), just press Enter.
openssl pkcs12 -in keyStoreWithoutPW.p12 -info -passin pass: -passout pass:

Golang HTTPS with ECDSA certificate from OpenSSL

I don't know if this is the correct place to ask it, but I will try.
I am trying to run http.ListenAndServeTLS with ECDSA certificate generated from OpenSSL.
It fail with this error message: tls: failed to parse private key
Go understand elliptic.P256(), in the code it has this comment See FIPS 186-3, section D.2.3.
In this link: http://www.ietf.org/rfc/rfc5480.txt, it says it is also called secp256r1.
As you can see below, OpenSSL undestand this as prime256v1.
$ openssl ecparam -name secp256r1 -text -noout
using curve name prime256v1 instead of secp256r1
ASN1 OID: prime256v1
NIST CURVE: P-256
So what is wrong?
How can I generate ECDSA certificate from OpenSSL and use it on my Go code?
Using generate_cert.go to generate a P256 ECDSA certificate, my code works, but if I try to read the key file with OpenSSL it fail also.
$ openssl ecparam -text -noout -in key.pem
unable to load elliptic curve parameters
140377431725720:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: EC PARAMETERS
I couldn't figured out what is the problem between OpenSSL and Go.
But my main problem is, how to generate ECDSA certificate to use with Go code!
Using CFSSL (https://cfssl.org/) I can generate ECDSA certificate and sign it with my internal CA certificate generated from OpenSSL. The certificate generated from CFSSL works fine with my Go code, so for me it solves my main problem!
I don't know if there is a format problem between OpenSSL and Go, but as CFSSL is written in Go, the certificate generated on it works fine in my code and in browser.
Here is an example of OpenSSL generated ECDSA keys working with Go.
https://play.golang.org/p/MS_FQ8cqqA8.
As clarified in this issue - https://github.com/golang/go/issues/23591, go does not recognize EC keys that are generated with the -param_enc explicit flag in Openssl.
# openssl ecparam -name prime256v1 -genkey -noout -out priv2.pem
# openssl req -new -x509 -key priv2.pem -out EC_server2.pem -days 365
Hope this solves your problem.
Run:
go run `go env GOROOT`/src/crypto/tls/generate_cert.go --host=localhost --ecdsa-curve=P256
This will generate cert.pem and key.pem in the current directory.

Convert .pem to .crt and .key

Can anyone tell me the correct way/command to extract/convert the certificate .crt and private key .key files from a .pem file? I just read they are interchangable, but not how.
I was able to convert pem to crt using this:
openssl x509 -outform der -in your-cert.pem -out your-cert.crt
Converting Using OpenSSL
These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software.
Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Convert PEM to CRT (.CRT file)
openssl x509 -outform der -in certificate.pem -out certificate.crt
OpenSSL Convert PEM
Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
Convert PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
OpenSSL Convert DER
Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
OpenSSL Convert P7B
Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Convert P7B to PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
OpenSSL Convert PFX
Convert PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
Generate rsa keys by OpenSSL
Using OpenSSL on the command line you’d first need to generate a public and private key, you should password protect this file using the -passout argument, there are many different forms that this argument can take so consult the OpenSSL documentation about that.
openssl genrsa -out private.pem 1024
This creates a key file called private.pem that uses 1024 bits. This file actually have both the private and public keys, so you should extract the public one from this file:
openssl rsa -in private.pem -out public.pem -outform PEM -pubout
or
openssl rsa -in private.pem -pubout > public.pem
or
openssl rsa -in private.pem -pubout -out public.pem
You’ll now have public.pem containing just your public key, you can freely share this with 3rd parties.
You can test it all by just encrypting something yourself using your public key and then decrypting using your private key, first we need a bit of data to encrypt:
Example file :
echo 'too many secrets' > file.txt
You now have some data in file.txt, lets encrypt it using OpenSSL and
the public key:
openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.ssl
This creates an encrypted version of file.txt calling it file.ssl, if
you look at this file it’s just binary junk, nothing very useful to
anyone. Now you can unencrypt it using the private key:
openssl rsautl -decrypt -inkey private.pem -in file.ssl -out decrypted.txt
You will now have an unencrypted file in decrypted.txt:
cat decrypted.txt
|output -> too many secrets
RSA TOOLS Options in OpenSSL
NAME
rsa - RSA key processing tool
SYNOPSIS
openssl rsa [-help] [-inform PEM|NET|DER] [-outform PEM|NET|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-aes128] [-aes192] [-aes256] [-camellia128] [-camellia192] [-camellia256] [-des] [-des3] [-idea] [-text] [-noout] [-modulus] [-check] [-pubin] [-pubout] [-RSAPublicKey_in] [-RSAPublicKey_out] [-engine id]
DESCRIPTION
The rsa command processes RSA keys. They can be converted between various forms and their components printed out. Note this command uses the traditional SSLeay compatible format for private key encryption: newer applications should use the more secure PKCS#8 format using the pkcs8 utility.
COMMAND OPTIONS
-help
Print out a usage message.
-inform DER|NET|PEM
This specifies the input format. The DER option uses an ASN1 DER encoded form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. The PEM form is the default format: it consists of the DER format base64 encoded with additional header and footer lines. On input PKCS#8 format private keys are also accepted. The NET form is a format is described in the NOTES section.
-outform DER|NET|PEM
This specifies the output format, the options have the same meaning as the -inform option.
-in filename
This specifies the input filename to read a key from or standard input if this option is not specified. If the key is encrypted a pass phrase will be prompted for.
-passin arg
the input file password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl.
-out filename
This specifies the output filename to write a key to or standard output if this option is not specified. If any encryption options are set then a pass phrase will be prompted for. The output filename should not be the same as the input filename.
-passout password
the output file password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl.
-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea
These options encrypt the private key with the specified cipher before outputting it. A pass phrase is prompted for. If none of these options is specified the key is written in plain text. This means that using the rsa utility to read in an encrypted key with no encryption option can be used to remove the pass phrase from a key, or by setting the encryption options it can be use to add or change the pass phrase. These options can only be used with PEM format output files.
-text
prints out the various public or private key components in plain text in addition to the encoded version.
-noout
this option prevents output of the encoded version of the key.
-modulus
this option prints out the value of the modulus of the key.
-check
this option checks the consistency of an RSA private key.
-pubin
by default a private key is read from the input file: with this option a public key is read instead.
-pubout
by default a private key is output: with this option a public key will be output instead. This option is automatically set if the input is a public key.
-RSAPublicKey_in, -RSAPublicKey_out
like -pubin and -pubout except RSAPublicKey format is used instead.
-engine id
specifying an engine (by its unique id string) will cause rsa to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.
NOTES
The PEM private key format uses the header and footer lines:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
The PEM public key format uses the header and footer lines:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
The PEM RSAPublicKey format uses the header and footer lines:
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
The NET form is a format compatible with older Netscape servers and Microsoft IIS .key files, this uses unsalted RC4 for its encryption. It is not very secure and so should only be used when necessary.
Some newer version of IIS have additional data in the exported .key files. To use these with the utility, view the file with a binary editor and look for the string "private-key", then trace back to the byte sequence 0x30, 0x82 (this is an ASN1 SEQUENCE). Copy all the data from this point onwards to another file and use that as the input to the rsa utility with the -inform NET option.
EXAMPLES
To remove the pass phrase on an RSA private key:
openssl rsa -in key.pem -out keyout.pem
To encrypt a private key using triple DES:
openssl rsa -in key.pem -des3 -out keyout.pem
To convert a private key from PEM to DER format:
openssl rsa -in key.pem -outform DER -out keyout.der
To print out the components of a private key to standard output:
openssl rsa -in key.pem -text -noout
To just output the public part of a private key:
openssl rsa -in key.pem -pubout -out pubkey.pem
Output the public part of a private key in RSAPublicKey format:
openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem
To extract the key and cert from a pem file:
Extract key
openssl pkey -in foo.pem -out foo.key
Another method of extracting the key...
openssl rsa -in foo.pem -out foo.key
Extract all the certs, including the CA Chain
openssl crl2pkcs7 -nocrl -certfile foo.pem | openssl pkcs7 -print_certs -out foo.cert
Extract the textually first cert as DER
openssl x509 -in foo.pem -outform DER -out first-cert.der
Pre-requisite
openssl should be installed.
On Windows, if Git Bash is installed, try that! Alternate binaries can be found here.
Step 1: Extract .key from .pem
openssl pkey -in cert.pem -out cert.key
Step 2: Extract .crt from .pem
openssl crl2pkcs7 -nocrl -certfile cert.pem | openssl pkcs7 -print_certs -out cert.crt
This is what I did on windows.
Download a zip file that contains the open ssl exe from Google
Unpack the zip file and go into the bin folder.
Go to the address bar in the bin folder and type cmd. This will open a command prompt at this folder.
move/Put the .pem file into this bin folder.
Run two commands. One creates the cert and the second the key file
openssl x509 -outform der -in yourPemFilename.pem -out certfileOutName.crt
openssl rsa -in yourPemFilename.pem -out keyfileOutName.key
If you asked this question because you're using mkcert then the trick is that the .pem file is the cert and the -key.pem file is the key.
(You don't need to convert, just run mkcert yourdomain.dev otherdomain.dev )
A .crt stores the certificate.. in pem format. So a .pem, while it can also have other things like a csr (Certificate signing request), a private key, a public key, or other certs, when it is storing just a cert, is the same thing as a .crt.
A pem is a base 64 encoded file with a header and a footer between each section.
To extract a particular section, a perl script such as the following is totally valid, but feel free to use some of the openssl commands.
perl -ne "\$n++ if /BEGIN/; print if \$n == 1 && /BEGIN/.../END/;" mydomain.pem
where ==1 can be changed to which ever section you need. Obviously if you know exactly the header and footer you require and there is only one of those in the file (usually the case if you keep just the cert and the key in there), you can simplify it:
perl -ne "print if /^-----BEGIN CERTIFICATE-----\$/.../END/;" mydomain.pem

How to get .pem file from .key and .crt files?

How can I create a PEM file from an SSL certificate?
These are the files that I have available:
.crt
server.csr
server.key
Your keys may already be in PEM format, but just named with .crt or .key.
If the file's content begins with -----BEGIN and you can read it in a text editor:
The file uses base64, which is readable in ASCII, not binary format. The certificate is already in PEM format. Just change the extension to .pem.
If the file is in binary:
For the server.crt, you would use
openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem
For server.key, use openssl rsa in place of openssl x509.
The server.key is likely your private key, and the .crt file is the returned, signed, x509 certificate.
If this is for a Web server and you cannot specify loading a separate private and public key:
You may need to concatenate the two files. For this use:
cat server.crt server.key > server.includesprivatekey.pem
I would recommend naming files with "includesprivatekey" to help you manage the permissions you keep with this file.
I needed to do this for an AWS ELB. After getting beaten up by the dialog many times, finally this is what worked for me:
openssl rsa -in server.key -text > private.pem
openssl x509 -inform PEM -in server.crt > public.pem
Thanks NCZ
Edit: As #floatingrock says
With AWS, don't forget to prepend the filename with file://. So it'll look like:
aws iam upload-server-certificate --server-certificate-name blah --certificate-body file://path/to/server.crt --private-key file://path/to/private.key --path /cloudfront/static/
http://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html
A pem file contains the certificate and the private key. It depends on the format your certificate/key are in, but probably it's as simple as this:
cat server.crt server.key > server.pem
Additionally, if you don't want it to ask for a passphrase, then need to run the following command:
openssl rsa -in server.key -out server.key
this is the best option to create .pem file
openssl pkcs12 -in MyPushApp.p12 -out MyPushApp.pem -nodes -clcerts
I was trying to go from godaddy to app engine. What did the trick was using this line:
openssl req -new -newkey rsa:2048 -nodes -keyout name.unencrypted.priv.key -out name.csr
Exactly as is, but replacing name with my domain name (not that it really even mattered)
And I answered all the questions pertaining to common name / organization as www.name.com
Then I opened the csr, copied it, pasted it in go daddy, then downloaded it, unzipped it, navigated to the unzipped folder with the terminal and entered:
cat otherfilegodaddygivesyou.crt gd_bundle-g2-g1.crt > name.crt
Then I used these instructions from Trouble with Google Apps Custom Domain SSL, which were:
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem
exactly as is, except instead of privateKey.key I used name.unencrypted.priv.key, and instead of www_mydomain_com.crt, I used name.crt
Then I uploaded the public.pem to the admin console for the "PEM encoded X.509 certificate", and uploaded the private.pem for the "Unencrypted PEM encoded RSA private key"..
.. And that finally worked.
All of the files (*.crt, server.csr, server.key) may already be in PEM format, what to do next with these files depends on how you want to use them, or what tool is using them and in which format it requires.
I'll go a bit further here to explain what are the different formats used to store cryptography materials and how to recognise them as well as convert one to/from another.
Standards
Standards
Content format
File encoding
Possible content
X509
X
Certificates
PKCS#1
X
RSA keys (public/private)
PKCS#7
X
Certificates, CRLs
PKCS#8
X
Private keys, encrypted private keys
PKCS#12
X
Certificates, CRLs, private keys
JKS
X
Certificates, private keys
PEM
X
DER
X
Common combinations
Content \ Encoding
PEM (*)
DER (**)
Binary
X509
X
X
PKCS#1
X
X
PKCS#7 (***)
X
X
PKCS#8
X
X
PKCS#12 (***)
X
JKS (***)
X
This is a gist explains the same thing + commands for conversion/verification/inspection.
In conclusion, typical steps to work with cryptography/PKI materials:
Understand which format they are in (use verification/inspection commands)
Understand which format they are required (read doc)
Use conversion commands to convert the files
Optional: use verification/inspection commands to verify converted files
What I have observed is: if you use openssl to generate certificates, it captures both the text part and the base64 certificate part in the crt file. The strict pem format says (wiki definition) that the file should start and end with BEGIN and END.
.pem – (Privacy Enhanced Mail) Base64 encoded DER certificate,
enclosed between "-----BEGIN CERTIFICATE-----" and "-----END
CERTIFICATE-----"
So for some libraries (I encountered this in java) that expect strict pem format, the generated crt would fail the validation as an 'invalid pem format'.
Even if you copy or grep the lines with BEGIN/END CERTIFICATE, and paste it in a cert.pem file, it should work.
Here is what I do, not very clean, but works for me, basically it filters the text starting from BEGIN line:
grep -A 1000 BEGIN cert.crt > cert.pem
Trying to upload a GoDaddy certificate to AWS I failed several times, but in the end it was pretty simple. No need to convert anything to .pem. You just have to be sure to include the GoDaddy bundle certificate in the chain parameter, e.g.
aws iam upload-server-certificate
--server-certificate-name mycert
--certificate-body file://try2/40271b1b25236fd1.crt
--private-key file://server.key
--path /cloudfront/production/
--certificate-chain file://try2/gdig2_bundle.crt
And to delete your previous failed upload you can do
aws iam delete-server-certificate --server-certificate-name mypreviouscert
Download certificate from provisional portal by appleId,
Export certificate  from Key chain and  give name (Certificates.p12),
Open terminal and goto folder where you save above Certificates.p12 file,
Run below commands:
a) openssl pkcs12 -in Certificates.p12 -out CertificateName.pem -nodes,
b) openssl pkcs12 -in Certificates.p12 -out pushcert.pem -nodes -clcerts
Your .pem file ready "pushcert.pem".
Open terminal.
Go to the folder where your certificate is located.
Execute below command by replacing name with your certificate.
openssl pkcs12 -in YOUR_CERTIFICATE.p12 -out YOUR_CERTIFICATE.pem -nodes -clcerts
Hope it will work!!
On Windows, you can use the certutil tool:
certutil -encode server.crt cert.pem
certutil -encode server.key key.pem
You can combine both files to one in PowerShell like this:
Get-Content cert.pem, key.pem | Set-Content cert-and-key.pem
And in CMD like this:
copy cert.pem+key.pem cert-and-key.pem /b