How do I convert a .crt file to PFX using OpenSSL?

Run: openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt — A .crt file is typically PEM-encoded (same as .pem). This command bundles the certificate and private key into a PKCS#12/PFX file for use with IIS, Azure, or Windows.

What is the difference between .pem, .crt, .cer, and .key files?

.pem, .crt, and .cer are usually the same format — PEM-encoded (Base64 text with BEGIN/END headers). The extension is just a naming convention: .crt and .cer typically contain certificates, .key contains private keys, and .pem can contain either or both. The exception is .cer on Windows, which can sometimes be binary DER-encoded.

How do I check when an SSL certificate expires?

For a local file: openssl x509 -in cert.crt -noout -enddate — For a remote server: echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -enddate

How do I convert a P7B file to PEM?

Run: openssl pkcs7 -in certificate.p7b -print_certs -out certificate.pem — This extracts all certificates from the PKCS#7/P7B bundle into PEM format. P7B files are common in Windows and Java environments and contain certificates and chain certs but no private keys.

Where can I download trusted CA root certificates?

GoDaddy: https://certs.godaddy.com/repository — DigiCert: https://knowledge.digicert.com/general-information/digicert-trusted-root-authority-certificates — eMudhra: https://www.e-mudhra.com/Repository/ — These repositories provide intermediate and root CA certificates needed to build complete certificate chains.

OpenSSL Command Generator

Generate OpenSSL commands for SSL/TLS certificate management. Create keys, CSRs, convert formats, and more.

100% client-side — your file paths and domains never leave your browser.

Single commands

Multi-step flows

1 — What do you want to do?

OpenSSL Command Reference & Guide

What is OpenSSL?

OpenSSL is the most widely used open-source toolkit for SSL/TLS and general-purpose cryptography. It provides command-line tools for creating private keys (RSA, ECDSA, Ed25519), generating Certificate Signing Requests (CSRs), creating self-signed certificates, converting between certificate formats (PEM, PFX, DER, P7B), verifying certificate chains, and testing SSL/TLS connections. OpenSSL is pre-installed on most Linux distributions and macOS, and available on Windows via package managers like winget, choco, or standalone installers.

This tool generates copy-paste ready OpenSSL commands with explanations. It supports single commands for individual operations and multi-step flows for common workflows like setting up SSL for Nginx, creating PFX bundles for IIS, or building an internal Certificate Authority.

Official Documentation & Resources

OpenSSL Official Docs

Complete man page reference for all openssl subcommands — genrsa, req, x509, pkcs12, s_client, and more.

openssl-req

CSR creation and self-signed certificate generation. Covers -new, -x509, -subj, -addext, and config file options.

openssl-x509

Certificate inspection, conversion, and signing. The core command for viewing cert details, converting formats, and CA signing.

openssl-pkcs12

PFX/P12 creation and extraction. Covers -export, -in, -out, -nodes, -clcerts, -cacerts, and password options.

openssl-s_client

SSL/TLS connection testing. Connect to servers, inspect certificates, check protocols, and debug handshake issues.

openssl-genrsa

RSA key generation. Options for key size (2048, 4096), passphrase encryption (-aes256), and output format.

CA Certificate Repositories

When building certificate chains or configuring trust stores, you need intermediate and root CA certificates from your Certificate Authority. Download them from these official repositories:

GoDaddy

Root and intermediate certificates, CPS documents, and certificate policy information.

DigiCert

Trusted root authority certificates, intermediate CAs, and cross-signed certificates.

eMudhra

Root and intermediate CA certificates, CPS, and certificate practice statements.

SSL Certificate Formats Explained (.pem, .crt, .cer, .pfx, .p7b, .der)

One of the most common sources of confusion is SSL certificate file extensions. In practice, .pem, .crt, and .cer are usually the same format — PEM-encoded Base64 text with BEGIN/END headers. The extension is just a naming convention, not a different format.

PEM (.pem, .crt, .cer, .key)

Base64-encoded text with BEGIN/END headers. The most common format for Linux web servers (Nginx, Apache, HAProxy). Human-readable. Can contain certificates, private keys, or both. The .crt, .cer, .key extensions are just conventions — they're all PEM files.

DER (.der, .cer)

Binary-encoded certificate. Used by Java applications, some Windows tools, and embedded systems. Not human-readable. The .cer extension on Windows is sometimes DER-encoded — open it in a text editor to check: if you see readable text, it's PEM; if binary, it's DER.

PFX / P12 (.pfx, .p12)

PKCS#12 binary bundle containing certificate, private key, and optionally the CA chain — all in a single password-protected file. Required by IIS, Azure App Service, Windows Certificate Store, and Java keystores (via keytool import).

P7B / PKCS#7 (.p7b, .p7c)

Contains certificates and chain certs only (no private key). Common in Windows and Java environments. Often used when a CA provides the certificate chain as a separate bundle. Convert to PEM with openssl pkcs7 -print_certs.

CSR (.csr)

Certificate Signing Request — contains the public key and subject information (CN, O, etc.). Submitted to a Certificate Authority to obtain a signed certificate. Does not contain the private key.

JKS (.jks)

Java KeyStore — Java's proprietary keystore format. Since Java 9, PKCS#12 (.pfx) is the default. Convert PFX to JKS using: keytool -importkeystore -srckeystore cert.pfx -srcstoretype PKCS12 -destkeystore keystore.jks

How to Convert Between Certificate Formats

The most common conversion tasks involve moving between PEM (used by Nginx, Apache) and PFX (used by IIS, Azure, Windows). Here's a quick reference:

.crt + .key → .pfx

openssl pkcs12 -export -out cert.pfx -inkey private.key -in certificate.crt

Bundle for IIS/Windows. Add -certfile chain.pem to include intermediates.

.pfx → .crt + .key

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.crt
openssl pkcs12 -in cert.pfx -nocerts -nodes -out private.key

Extract for Nginx/Apache. Two commands — one for cert, one for key.

.cer → .pem

openssl x509 -in cert.cer -inform DER -outform PEM -out cert.pem

Only needed if .cer is binary DER. If it's already text (PEM), just rename it.

.p7b → .pem

openssl pkcs7 -in cert.p7b -print_certs -out cert.pem

Extracts all certs from PKCS#7 bundle. Does not contain private keys.

.pem → .der

openssl x509 -in cert.pem -outform DER -out cert.der

Convert to binary for Java apps or embedded systems.

.crt + .key → single .pem

cat private.key certificate.crt chain.pem > combined.pem

For HAProxy, Postfix, and other servers that expect a single PEM file.

Key Algorithms Compared: RSA vs ECDSA vs Ed25519

RSA 2048

Pros: Universally compatible. Supported by all systems, browsers, and CAs.

Cons: Larger key size. Slower handshakes compared to ECDSA.

Use when: Default choice when compatibility is the priority.

RSA 4096

Pros: Stronger security than RSA 2048. Same compatibility.

Cons: Even larger key and slower operations. Diminishing returns over 2048.

Use when: High-security environments where performance isn't critical.

ECDSA P-256

Pros: 256-bit key equivalent to RSA 3072. Faster TLS handshakes. Smaller certificates.

Cons: Not supported on very old systems (pre-2010).

Use when: Modern web servers, APIs, and mobile apps.

ECDSA P-384

Pros: Stronger than P-256. Required by some government standards (CNSA).

Cons: Slightly slower than P-256. Overkill for most use cases.

Use when: Government, military, or regulated industries.

Ed25519

Pros: Fastest. Smallest key. Strongest security per bit. Simple implementation.

Cons: Limited CA support. Not all web servers support it for TLS certificates.

Use when: SSH keys, internal services, and cutting-edge deployments.

What is an SSL Certificate Chain?

A certificate chain (or chain of trust) links your server certificate back to a trusted Root CA through one or more intermediate certificates. Browsers trust Root CAs that are pre-installed in their trust store. When a browser connects to your server, it validates each certificate in the chain: your server cert → intermediate CA(s) → Root CA. If any link is missing or invalid, the browser shows a security warning.

When configuring your server, always include the intermediate certificates (the "chain" or "bundle") alongside your server certificate. Download intermediate certificates from your CA's repository (GoDaddy, DigiCert, eMudhra, etc.). You can verify a complete chain with: openssl verify -CAfile chain.pem certificate.crt

OpenSSL Commands Cheat Sheet

openssl genrsa -out key.pem 2048

Generate a 2048-bit RSA private key.

openssl ecparam -genkey -name prime256v1 -out key.pem

Generate an ECDSA P-256 private key.

openssl req -new -key key.pem -out csr.pem -subj "/CN=example.com"

Create a CSR using an existing private key.

openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"

Generate a self-signed certificate with SAN for localhost development.

openssl x509 -in cert.pem -text -noout

Display full certificate details (subject, issuer, dates, extensions).

openssl x509 -in cert.pem -noout -enddate

Check when a certificate expires.

openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem -certfile chain.pem

Convert PEM to PFX with certificate chain included.

openssl pkcs12 -in cert.pfx -out cert.pem -nodes

Convert PFX to PEM (extracts cert + key without encryption).

openssl s_client -connect example.com:443 -servername example.com

Test TLS connection, inspect server certificate, and check protocol.

openssl verify -CAfile ca.crt cert.pem

Verify a certificate against a CA certificate.

openssl x509 -noout -pubkey -in cert.crt | openssl md5

Get the public key hash — compare with the key file hash to verify a cert-key match.

openssl pkcs7 -in cert.p7b -print_certs -out cert.pem

Extract certificates from a P7B/PKCS#7 bundle.

SSL Certificate Setup by Server

NginxPEM (.crt + .key)

Use ssl_certificate for the cert+chain (concatenated into one file) and ssl_certificate_key for the private key. Build the chain: cat cert.crt intermediate.crt > fullchain.pem

ApachePEM (.crt + .key + .chain)

Use SSLCertificateFile for the server cert, SSLCertificateKeyFile for the key, and SSLCertificateChainFile for intermediates (Apache 2.4.8+ can use a single chain file).

IIS / WindowsPFX (.pfx)

Import PFX through IIS Manager → Server Certificates → Import, or via MMC snap-in. The PFX must contain the cert, key, and chain. Generate with: openssl pkcs12 -export -out cert.pfx -inkey key -in cert.crt -certfile chain.pem

Java / TomcatPFX (.pfx) or JKS (.jks)

Import PFX using: keytool -importkeystore -srckeystore cert.pfx -srcstoretype PKCS12 -destkeystore keystore.jks. Since Java 9, PKCS#12 is the recommended format.

HAProxySingle PEM (.pem)

HAProxy expects a single PEM file with key + cert + chain concatenated: cat key.pem cert.crt chain.pem > haproxy.pem. Set in config: bind *:443 ssl crt /etc/haproxy/haproxy.pem

Azure App ServicePFX (.pfx)

Upload PFX via Azure Portal → TLS/SSL settings → Private Key Certificates. Must be password-protected. Minimum RSA 2048-bit. Include full chain in the PFX.

Frequently Asked Questions

How do I convert a .crt file to PFX?

A .crt file is typically PEM-encoded — the same format as .pem. Run: openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt. Add -certfile chain.pem to include intermediates. You'll be prompted to set an export password.

What's the difference between .pem, .crt, and .cer?

They're usually the same PEM format — Base64 text with BEGIN/END headers. The extension is a naming convention: .crt/.cer for certificates, .key for private keys, .pem for either. The only exception: .cer on Windows is sometimes binary DER-encoded. Check by opening in a text editor.

How do I check if a certificate and private key match?

Compare the public key fingerprint: openssl x509 -noout -pubkey -in cert.crt | openssl md5 vs openssl pkey -pubout -in private.key | openssl md5. If both MD5 hashes are identical, they match. Works for RSA, ECDSA, and Ed25519.

How do I create a self-signed certificate for localhost?

openssl req -x509 -newkey rsa:2048 -nodes -keyout localhost.key -out localhost.crt -days 365 -subj "/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1". The -addext flag adds SAN, which modern browsers require — CN alone is no longer enough.

How do I check when a remote server's certificate expires?

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -enddate. Replace example.com with your domain. The -servername flag is needed for servers using SNI (most modern servers).

Where do I get intermediate/root CA certificates for my chain?

Download from your CA's repository: GoDaddy (certs.godaddy.com/repository), DigiCert (knowledge.digicert.com), or eMudhra (e-mudhra.com/Repository). Your CA typically emails these along with your signed certificate, or provides download links.

How do I convert P7B to individual cert files?

Run: openssl pkcs7 -in cert.p7b -print_certs -out certs.pem. This extracts all certificates. The first is usually your server cert; the rest are intermediates. Split them manually or use csplit.

OpenSSL Tips & Best Practices

Always restrict private key file permissions: chmod 600 private.key
Never commit private keys to version control. Add *.key and *.pfx to your .gitignore.
Use ECDSA P-256 for new deployments unless you need maximum compatibility with legacy systems.
Set certificate validity to 1 year or less — CAs no longer issue certificates valid for more than 398 days.
Always include Subject Alternative Names (SAN) — modern browsers ignore the Common Name (CN) field for domain validation.
When converting to PFX, use a strong export password. When converting from PFX, secure the extracted key file immediately.
Test your SSL configuration after deployment: echo | openssl s_client -connect yourdomain.com:443
For Let's Encrypt certificates, use certbot instead of manual OpenSSL — it handles renewal automatically.
When your CA sends a certificate, always verify it matches your CSR: compare the public key hashes of both files.
Use openssl s_client -showcerts to download a server's full certificate chain for debugging chain issues.