Certificate Management Guide with OpenSSL

This guide provides an overview of common certificate file types – .p7b, .cer, and .pfx – and demonstrates how to manage them using OpenSSL. You'll learn how to perform various conversions and exports, which is essential for system administration, web server configuration, and secure communications.

Certificate Types Overview

File Type	Format	Contents	Typical Use
`.p7b`	PKCS#7 (Base64 or DER)	Certificate chain; no private key	Distributing certificate chains
`.cer`	PEM (Base64) or DER (binary)	Single certificate or certificate chain	Installing on web servers, clients
`.pfx`	PKCS#12 (binary, password‑protected)	Certificate(s) with corresponding private key	Import/export of certificates and private keys, typically on Windows

Introduction to OpenSSL Certificate Management

OpenSSL is a versatile command‑line tool that can handle various cryptographic functions, including converting and managing certificate files. In this guide, we cover common tasks such as:

Converting a .p7b file to PEM format
Exporting certificates and private keys from a .pfx file
Converting a .cer file between DER and PEM formats

Converting a .p7b File to PEM

A .p7b file (PKCS#7) usually contains a certificate chain but no private key. To extract the certificates in PEM format, use the following OpenSSL command:

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

This command reads the certificate.p7b file and outputs the contained certificates to certificate.pem in PEM format.

Exporting Certificates and Private Keys from a .pfx File

A .pfx file (PKCS#12) bundles certificates with their private keys. To extract the certificate and private key in PEM format, use these commands.

Extracting the Private Key

openssl pkcs12 -in certificate.pfx -nocerts -nodes -out privatekey.pem

This command extracts the private key from certificate.pfx and writes it to privatekey.pem. The -nodes flag ensures the private key is not encrypted in the output.

Extracting the Certificate

openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out cert.pem

This command extracts only the certificate (without private keys) from the .pfx file and writes it to cert.pem.

Extracting the Entire Chain

openssl pkcs12 -in certificate.pfx -nokeys -out chain.pem

If your .pfx file contains intermediate certificates, this command will extract the full chain into chain.pem.

Converting a .cer File Between DER and PEM Formats

A .cer file can be in either DER (binary) or PEM (Base64) format. To convert between these formats, use the following commands.

DER to PEM

openssl x509 -inform DER -in certificate.cer -out certificate.pem

This converts a DER‑encoded certificate (certificate.cer) to PEM format.

PEM to DER

openssl x509 -outform DER -in certificate.pem -out certificate.der

This converts a PEM‑encoded certificate (certificate.pem) to DER format, saved as certificate.der.

Additional Tips for Managing Certificates with OpenSSL

Verifying a Certificate: You can inspect certificate details using:
```
openssl x509 -in certificate.pem -text -noout
```

Checking the Private Key Matches the Certificate:

openssl x509 -noout -modulus -in certificate.pem | openssl md5
openssl rsa -noout -modulus -in privatekey.pem | openssl md5

Compare the MD5 hashes; they should match.

Password Protection: When working with .pfx files, you’ll be prompted for a password. You can also add encryption to output files by omitting the -nodes option.

Return to Home