Uly.me

cloud engineer

pem

PFX to PEM

Here’s how to convert SSL certificate from PFX to PEM format. 

#!/bin/bash
 
echo "This script converts SSL certificates from PFX to PEM."
read -p 'Enter PFX Certificate Name  : ' cert_pfx
read -p 'Enter the Import Passphrase : ' import_passphrase
 
openssl pkcs12 -in $cert_pfx -nocerts -out cert-key.pem -passin pass:$import_passphrase -passout pass:$import_passphrase
openssl pkcs12 -in $cert_pfx -clcerts -nokeys -out cert-body.pem -passin pass:$import_passphrase -passout pass:$import_passphrase
openssl pkcs12 -in $cert_pfx -nodes -nokeys -out cert-chain.pem -passin pass:$import_passphrase -passout pass:$import_passphrase
sleep 3
openssl rsa -in key.pem -out cert-private.key -passin pass:$import_passphrase -passout pass:$import_passphrase

This was covered in an earlier post, but this script prompts you for the passphrase.

Here’s the expected output.

  • cert-key.pem
  • cert-body.pem
  • cert-chain.pem
  • cert-private.key

Convert PFX to PEM format

SSL certificates comes in multiple formats. Some providers will hand you over certificates in PFX format which comes in a single file. If you need to import it to AWS Certificate Manager, you will need to convert it from PFX to PEM format. The following set of commands uses OpenSSL and pkcs12 to convert a SSL certificate from PFX to PEM format.

openssl pkcs12 -in cert.pfx -nocerts -out key.pem
openssl rsa -in key.pem -out server.key
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem
openssl pkcs12 -in cert.pfx -nodes -nokeys -out chain.pem

It result in 3 files.

  • server.key is the private key
  • cert.pem is the certificate
  • cert.pem and chain.pem are the full chain.

Once you have them, you can the proceed to import it to ACM.

SSL Certificate Import

SSL Certificates Explained

If you’re confused about the different formats and files that the Certificate Manager will accept in AWS, this site explains it fairly well. The Certificate Manager contains 3 fields during the import process. Certificate body, Certificate private key, and Certificate chain.

  • Server certificate > Intermediate certificate > Root certificate
  • Private RSA Key
  • Chain consists of Root and Intermediate