Table of Contents
I keep the intro short because I think the tutorial is more important. If you want to know more about how I got this, you can read this at the bottom in the summary.
In this tutorial I’ll explain how to convert .pfx certificates to .crt certificates including the private key.
Let’s convert a .pfx certificate to a .crt certificate for Apache, the basics.
We need Linux to convert the certificate to .crt for Apache.
Fortunately, Since awhile Windows 10 has Kali Linux (Bash) in the Microsoft Store.
Let’s start with installing Kali Linux.
Install Kalix Linux from the Microsoft Store.
Now we’ve installed Kali Linux we can continue with installing OpenSSL in Bash.
Click here if you want to know more about Kali Linux.
Let’s install OpenSSL in Kali Linux.
Go to start and search for Kali Linux.
Open the application.
Copy / paste the following command to install OpenSSL.
Or in Linux terms: To git clone OpenSSL.
git clone git://git.openssl.org/openssl.git
It will take a while, but eventually OpenSSL will install itself. Wait for this process to finish.
Unfortunately I cannot show you because I’ve already installed OpenSSL.
Click here for more about OpenSSL.
Let’s now use OpenSSL in Kali Linux to convert your .pfx certificate to .crt including the private key in a seperate text file.
Are you still following it?
It all seems like a lot, but it is not that bad. The final steps are the hardest steps, so stay with the lesson.
Save the .pfx file somewhere and make sure you have a backup.
Be 100% sure that you have a backup or can export a new certificate in IIS.
For me it went wrong the first time.
Start Kali Linux and copy / paste the following command.
You have now opened the directory where OpenSSL is installed.
We will first make an export from the private key to a text file.
Now this is a tricky part.
To use directories on your Windows C drive in Kali Linux, you must use the following. This is your C-drive:
Suppose you have your .pfx in C:\temp. To then export your private key to C:\ temp you need to use the following command.
openssl pkcs12 -in "/mnt/c/temp/baswijdenes_com.pfx" -out "/mnt/c/baswijdenes_com_privatekey.txt" -nodes
I understand that Apache servers use the private key separately in a text file. That is why we exported these separately.
The last thing we need to do now is to convert the .pfx to .crt.
I want to mention that you can usually just download the .crt from your SSL authority, this is also sufficient if you provide the private key in a text file.
openssl pkcs12 -in "/mnt/c/temp/baswijdenes_com.pfx" -clcerts -nokeys -out "/mnt/c/temp/baswijdenes_com.crt"
And that’s it. You can now import these into Apache yourself, or you can zip the key + .crt and send it to the supplier.
Click here for more about Apache.
I hope you could follow the tutorial a bit.
I am a Microsoft engineer myself, so this was all new to me.
A customer requested a new certificate and without knowing that this was for an Apache server I made a CSR request in IIS and then sent the .pfx certificate to the customer, who questioned the answer whether it could become a .crt certificate.
It took some research, but it was interesting.