Exporting a Certificate from PFX to PEM

For security, EFT Server does not allow you to use a certificate file with a .p* (e.g., pfx, p12) extension. The .p* extension indicates that it is a combined certificate that includes both the public and private keys, giving clients access to the private key. You can create certificate files using EFT Server's Certificate wizard. If you have a combined certificate from a third-party, use the procedure below to extract the public key.

To export the certificates from PFX to PEM

  1. Download the precompiled Windows binary and Windows Installer for OpenSSL from http://www.slproweb.com/products/Win32OpenSSL.html. The OpenSSL distribution contains a number of utilities, including the main utility openssl.exe. By default, the utilities are installed in C:\Openssl\bin.

  2. Open a Windows command prompt and navigate to \Openssl\bin.

  3. Type openssl.exe and press ENTER. The OpenSSL prompt appears.

  4. Execute the following command:

  5. pkcs12 -in <cert.pfx> -out <cert.pem> -nodes

    where <cert.pfx> is the name of the PFX file (you might need to include the path and quotes), and <cert.pem> is the name of the file that OpenSSL is to generate (include the path if you want to save it in a location other than \Openssl\bin.)

    For example, type:

    pkcs12 -in "C:\Program Files\nsoftware\IPWorks EDI V7 AS2 Connector\as2datacert.pfx" -out cert.pem -nodes

  6. The command converts the data in the <cert.pfx> file to PEM format in the <cert.pem> file. The PEM file contains all of the certificates that were in the PFX file:

  7. Each of the certificates (Private Key, Identity certificate, Root certificate, Intermediate certificate) is wrapped within headers, and these headers are part of the certificates. The PEM file looks similar to the following:

  8. Open the PEM file in a text editor (NotePad, EditPlus) and delete all but the last certificate section so that the file only contains the section that starts

    -----BEGIN CERTIFICATE-----

    and ends

    -----END CERTIFICATE-----

  9. Save the file with a .crt extension. The file is now ready to be used in EFT Server for the partner certificate.

Refer to Knowledge Base article Q10401 - HOWTO: Using OpenSSL to Generate/Convert Keys and Certificates for more information regarding using the OpenSSL command-line tool to generate and convert private keys and public certificates.