How to get .pem file from .key and .crt files?

Question

How can I create a PEM file from an SSL certificate?

These are the files that I have available:

• .crt
• server.csr
• server.key

Answer 1

Using p11-kit (available on CentOS 7)

Given crt files are in /etc/ssl/certs/:

p11-kit extract --format=pem-directory /tmp/pem-files

A pem file for each crt file will be placed in the specified directory (which the command will create).

Answer 2

First of all we have to create pfx file using .crt file and .key file. During execution you need to enter your certs password. Below is the command

 openssl pkcs12 -export -in company.crt -inkey company.key -out yourssl.pfx

Once you have pfx file. Please execute Below 2 commands

openssl pkcs12 -in yourssl.pfx -clcerts -nokeys -out yourcert.pem
openssl pkcs12 -in yourssl.pfx -clcerts -out yourkey.pem

Answer 3

On Windows, you can use the certutil tool:

certutil -encode server.crt cert.pem
certutil -encode server.key key.pem

You can combine both files to one in PowerShell like this:

Get-Content cert.pem, key.pem | Set-Content cert-and-key.pem

And in CMD like this:

copy cert.pem+key.pem cert-and-key.pem /b

Answer 4

All of the files (*.crt, server.csr, server.key) may already be in PEM format, what to do next with these files depends on how you want to use them, or what tool is using them and in which format it requires.

I'll go a bit further here to explain what are the different formats used to store cryptography materials and how to recognise them as well as convert one to/from another.

Standards

Standards	Content format	File encoding	Possible content
X509	X		Certificates
PKCS#1	X		RSA keys (public/private)
PKCS#7	X		Certificates, CRLs
PKCS#8	X		Private keys, encrypted private keys
PKCS#12	X		Certificates, CRLs, private keys
JKS	X		Certificates, private keys
PEM		X
DER		X

Common combinations

Content \ Encoding	PEM (*)	DER (**)	Binary
X509	X	X
PKCS#1	X	X
PKCS#7 (***)	X	X
PKCS#8	X	X
PKCS#12 (***)			X
JKS (***)			X

This is a gist explains the same thing + commands for conversion/verification/inspection.

In conclusion, typical steps to work with cryptography/PKI materials:

• Understand which format they are in (use verification/inspection commands)
• Understand which format they are required (read doc)
• Use conversion commands to convert the files
• Optional: use verification/inspection commands to verify converted files

Answer 5

Your keys may already be in PEM format, but just named with .crt or .key.

If the file's content begins with -----BEGIN and you can read it in a text editor:

The file uses base64, which is readable in ASCII, not binary format. The certificate is already in PEM format. Just change the extension to .pem.

If the file is in binary:

For the server.crt, you would use

openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem

For server.key, use openssl rsa in place of openssl x509.

The server.key is likely your private key, and the .crt file is the returned, signed, x509 certificate.

If this is for a Web server and you cannot specify loading a separate private and public key:

You may need to concatenate the two files. For this use:

cat server.crt server.key > server.includesprivatekey.pem

I would recommend naming files with "includesprivatekey" to help you manage the permissions you keep with this file.

Answer 6

• Open terminal.
• Go to the folder where your certificate is located.
• Execute below command by replacing name with your certificate.

openssl pkcs12 -in YOUR_CERTIFICATE.p12 -out YOUR_CERTIFICATE.pem -nodes -clcerts

• Hope it will work!!

Answer 7

1. Download certificate from provisional portal by appleId,
2. Export certificate  from Key chain and  give name (Certificates.p12),
3. Open terminal and goto folder where you save above Certificates.p12 file,

4. Run below commands:

   a) openssl pkcs12 -in Certificates.p12 -out CertificateName.pem -nodes,

   b) openssl pkcs12 -in Certificates.p12 -out pushcert.pem -nodes -clcerts

5. Your .pem file ready "pushcert.pem".

Answer 8

Trying to upload a GoDaddy certificate to AWS I failed several times, but in the end it was pretty simple. No need to convert anything to .pem. You just have to be sure to include the GoDaddy bundle certificate in the chain parameter, e.g.

aws iam upload-server-certificate
    --server-certificate-name mycert
    --certificate-body file://try2/40271b1b25236fd1.crt
    --private-key file://server.key
    --path /cloudfront/production/
    --certificate-chain file://try2/gdig2_bundle.crt

And to delete your previous failed upload you can do

aws iam delete-server-certificate --server-certificate-name mypreviouscert

Answer 9

I needed to do this for an AWS ELB. After getting beaten up by the dialog many times, finally this is what worked for me:

openssl rsa -in server.key -text > private.pem
openssl x509 -inform PEM -in server.crt > public.pem

Thanks NCZ

Edit: As @floatingrock says

With AWS, don't forget to prepend the filename with file://. So it'll look like:

 aws iam upload-server-certificate --server-certificate-name blah --certificate-body file://path/to/server.crt --private-key file://path/to/private.key --path /cloudfront/static/

http://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html

Answer 10

I was trying to go from godaddy to app engine. What did the trick was using this line:

openssl req -new -newkey rsa:2048 -nodes -keyout name.unencrypted.priv.key -out name.csr

Exactly as is, but replacing name with my domain name (not that it really even mattered)

And I answered all the questions pertaining to common name / organization as www.name.com

Then I opened the csr, copied it, pasted it in go daddy, then downloaded it, unzipped it, navigated to the unzipped folder with the terminal and entered:

cat otherfilegodaddygivesyou.crt gd_bundle-g2-g1.crt > name.crt

Then I used these instructions from Trouble with Google Apps Custom Domain SSL, which were:

openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem

exactly as is, except instead of privateKey.key I used name.unencrypted.priv.key, and instead of www_mydomain_com.crt, I used name.crt

Then I uploaded the public.pem to the admin console for the "PEM encoded X.509 certificate", and uploaded the private.pem for the "Unencrypted PEM encoded RSA private key"..

.. And that finally worked.

Answer 11

this is the best option to create .pem file

openssl pkcs12 -in MyPushApp.p12 -out MyPushApp.pem -nodes -clcerts

Answer 12

What I have observed is: if you use openssl to generate certificates, it captures both the text part and the base64 certificate part in the crt file. The strict pem format says (wiki definition) that the file should start and end with BEGIN and END.

.pem – (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"

So for some libraries (I encountered this in java) that expect strict pem format, the generated crt would fail the validation as an 'invalid pem format'.

Even if you copy or grep the lines with BEGIN/END CERTIFICATE, and paste it in a cert.pem file, it should work.

Here is what I do, not very clean, but works for me, basically it filters the text starting from BEGIN line:

grep -A 1000 BEGIN cert.crt > cert.pem

Answer 13

Additionally, if you don't want it to ask for a passphrase, then need to run the following command:

openssl rsa -in server.key -out server.key

Answer 14

A pem file contains the certificate and the private key. It depends on the format your certificate/key are in, but probably it's as simple as this:

cat server.crt server.key > server.pem