How to Convert PEM to PKCS12/PFX with Intermediate Certificates using OpenSSL


2 views

When working with SSL/TLS certificates, you'll often need to convert between formats. The PKCS12 (PFX) format is particularly useful as it bundles everything into a single file. Here's how to properly include intermediate certificates in your conversion:

openssl pkcs12 -export \
    -out certificate.p12 \
    -inkey privateKey.key \
    -in certificate.crt \
    -certfile intermediate.crt \
    -name "My Certificate" \
    -caname "Intermediate CA"

The command requires several critical components:

  • -inkey: Your private key file
  • -in: Your primary certificate
  • -certfile: Intermediate certificate(s)
  • -name: Friendly name for the certificate
  • -caname: Friendly name for the CA

If you have multiple intermediate certificates, concatenate them into a single file (in order from your certificate to root):

cat intermediate1.crt intermediate2.crt > combined.crt

Then use combined.crt with the -certfile parameter.

After creation, verify the contents:

openssl pkcs12 -info -in certificate.p12 -nodes

Error: "unable to load certificates" - Usually means incorrect certificate order in combined file.

Error: "unable to load private key" - Verify the key matches the certificate and is in PEM format.

Always protect your PKCS12 files with strong passwords. Use the -password parameter or you'll be prompted interactively:

openssl pkcs12 -export -out certificate.p12 \
    -inkey privateKey.key \
    -in certificate.crt \
    -certfile intermediate.crt \
    -passout pass:YourStrongPassword

When working with SSL/TLS certificates, you'll often encounter a certificate chain consisting of:

  • Your end-entity certificate (server certificate)
  • One or more intermediate certificates
  • The root CA certificate

Here's the proper OpenSSL command to include intermediate certificates:

openssl pkcs12 -export -out certificate.pfx \
-inkey privateKey.key \
-in certificate.crt \
-certfile intermediate.crt \
-name "My Certificate" \
-CSP "Microsoft Enhanced Cryptographic Provider v1.0"

-inkey: Specifies your private key file
-in: Your primary certificate file
-certfile: The intermediate certificate(s) file
-name: Friendly name for the certificate in the store
-CSP: Optional cryptographic service provider specification

If you have multiple intermediate certificates, concatenate them into a single file:

cat intermediate1.crt intermediate2.crt > combined_intermediates.crt

Then use the combined file with the -certfile parameter.

After creating your PKCS12 file, verify its contents:

openssl pkcs12 -info -in certificate.pfx -nodes
  • Importing certificates into Windows certificate store
  • Configuring Java KeyStores
  • Setting up SSL for web servers like Apache or Nginx

If you encounter errors:

  1. Ensure all files are in PEM format
  2. Verify the certificate chain is complete
  3. Check file permissions on your private key
  4. Make sure the private key matches the certificate