Something I have to do every time when updating SSL certificates on IIS web servers.
Preamble
P7B (PKCS#7)
A P7B file is a text file that contains certificates and chain certificates, but does not contain the private key.
PFX (PKCS#12)
A PFX file is a binary format file for storing the server certificate, any intermediate certificates, and the private key in one encrypt-able file.
Convert P7B to PFX
Note that in order to do the conversion, you must have both the certificates cert.p7b file and the private key cert.key file.
$ openssl pkcs7 -print_certs -in cert.p7b -out cert.cer
From the man page of pkcs7:
- -print_certs: prints out any certificates contained in the file.
- -in: specifies the input filename to read from.
- -out: specifies the output filename to write to.
$ openssl pkcs12 -export -in cert.cer -inkey cert.key -out cert.pfx
From the man page of pkcs12:
- -export: specifies that a PKCS#12 file will be created.
- -in: specifies filename of the PKCS#12 file to be parsed.
- -inkey: specifies the file to read private key from.
- -out: specifies the filename to write the PKCS#12 file to.
Create a Self-Signed PFX with OpenSSL
2048 bits RSA self-signed certificate valid for 5 years:
$ openssl req -new -x509 -days 1825 -sha256 -nodes -out cert.crt \ -keyout cert.key
From the openssl man page:
- req: creates and processes certificate requests.
- -new: generates a new certificate request.
- -x509: outputs a self signed certificate instead of a certificate request.
- -days: when the -x509 option is being used this specifies the number of days to certify the certificate for.
- -sha256: specifies the message digest to sign the request with.
- -nodes: private key will not be encrypted.
- -out: specifies the output filename to write to.
- -keyout: filename to write the newly created private key to.
$ openssl pkcs12 -export -in cert.crt -inkey cert.key -out cert.pfx
Generate a New Private Key and Certificate Signing Request (CSR)
$ openssl req -new -newkey rsa:2048 -sha256 -nodes -out cert.csr \ -keyout cert.key
The -newkey option creates a new certificate request and a new private key.
Create RSA Private Key from PFX
$ openssl pkcs12 -in cert.pfx -nocerts -nodes | openssl rsa -out rsaprivkey.pem
Thank you for your time.
Hi guys, is it in any way possible to import the .P7B into the PFX file without the private key?
Hi Martin. PFX archive must contain a certificate (possibly with its assorted set of CA certificates) and the corresponding private key. If you have no private key, then you cannot make a PFX.
I have problems with converting P7B all the time, this page is a great resource, thanks.
ty
“Note that in order to do the conversion, you must have both the certificates cert.p7b file and the private key cert.key file.”
I know little aboutcertificate, I went to offical site, can’t find the requirement in offical docs
https://www.openssl.org/docs/man1.1.1/man1/openssl-pkcs7.html
Check the man pages, they have everything you need to perform the conversion.
You have to supply a file to read private key from. If not present, then a private key must be present in the input file.
Dear Tomas,
How can I create a .cert file with pkcs7 print_certs from an UTF-8 p7b file?
Thanks,
I’m not sure that I understand your question, I have a feeling that you’ll need to consult OpenSSL documentation.