Hello S-1-1-0, PowerShell Crypto Guy still here and today we will talk about the subject. Sometimes you have to use 3rd party applications/tools for certificate request generation. Some of them uses Windows certificate store to store request and a corresponding private keys, but others generates a request file and separate file with unencrypted private key. As a common example are makecert.exe and openssl.exe tools. These applications creates a request file (mostly with .CSR or .REQ file extension) and private key file (mostly with .KEY or .PVK file extension) for UNIX-like systems compatibility. Once certificate request is signed you get a standard X.509 certificate file.

The problem occurs when you try to import this certificate to the Windows certificate store. Obviously it will be imported without private key because Certificate Import Wizard don't know anything about separate private key file. There are at least 3 tools that can join (or convert) these files to a single pkcs12/PFX file:

The following syntax is used for OpenSSL:

OpenSSL.exe pkcs12 –export –in certfile.cer –inkey certfile.key –out certfile.pfx

Also here is online (web-based) version of OpenSSL tool: https://www.sslshopper.com/ssl-converter.html

The following syntax is used for certutil:

certutil –MergePFX certfile.cer certfile.pfx

Since there is no way to specify private key file for –MergePFX parameter you must consider the following requirements:

  • Private key file MUST have .KEY extension;
  • certificate and private key files MUST have the same base file name (file name excluding extension);
  • certificate and private key file must be placed in the same directory.

The following syntax is used for pvk2pfx:

pvk2pfx –pvk certfile.pvk –spc certfile.cer –out certfile.pfx

And the last what I want to tell here. Unfortunately there are no universal tool for all cases. This really depends on an application that was used for key file generation. For example a key file created by OpenSSL is not compatible with certutil and pvk2pfx. A key created by makecert is compatible with pvk2pfx only and so on.

HTH


Share this article:

Comments:

girts
girts 14.09.2017 12:15 (GMT+3) How to merge certificate and private key to a PKCS#12(PFX) file

paldies, noderēja

V
V 30.03.2018 04:05 (GMT+3) How to merge certificate and private key to a PKCS#12(PFX) file

Well done, good article.

Matt B
Matt B 26.08.2019 22:04 (GMT+3) How to merge certificate and private key to a PKCS#12(PFX) file

Absoltuely brilliant, simple instructions. For Windows users certutil is the easiest way to combine two text files (a cer and private key) into a PFX.

Well done sir. Thank you.

Parth Patel
Parth Patel 17.09.2019 14:24 (GMT+3) How to merge certificate and private key to a PKCS#12(PFX) file
MrCalvin
MrCalvin 03.12.2019 19:15 (GMT+3) How to merge certificate and private key to a PKCS#12(PFX) file

Using openssl on linux:

openssl pkcs12 -export -out /tmp/mg/cert.pfx -inkey /tmp/mg/privat.key -in /tmp/mg/public.crt -certfile /tmp/mg/ca.crt

Notice I  added the -certfile argument!

Mirko
Mirko 11.03.2020 14:43 (GMT+3) How to merge certificate and private key to a PKCS#12(PFX) file

Thanks mate. Great tool

Manjunath
Manjunath 23.03.2020 11:24 (GMT+3) How to merge certificate and private key to a PKCS#12(PFX) file

Certutil command helped me a lot without installing the other tools.

Thank you!!

Chris A
Chris A 30.04.2020 00:36 (GMT+3) How to merge certificate and private key to a PKCS#12(PFX) file

Vladims - great article. Being that it was written in 2011, do you happen to know if incompatibilities still exist between openssl, certutil and pvk2pfx? I did some digging but couldn't find any information regarding this.  I do have empirical experience suggesting the same, but what I attempted was also years ago.

Vadims Podāns
Vadims Podāns 30.04.2020 09:50 (GMT+3) How to merge certificate and private key to a PKCS#12(PFX) file

Chris, nothing has changed since then.

Michael
Michael 14.08.2020 15:56 (GMT+3) How to merge certificate and private key to a PKCS#12(PFX) file

What is the file format for the private key when using OpenSSL? I have a simple text file with the -----BEGIN PRIVATE KEY-----xxxxx-----END PRIVATE KEY-----. I am getting an error: unable to load private key
26188:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: ANY PRIVATE KEY

Vadims Podāns
Vadims Podāns 14.08.2020 18:36 (GMT+3) How to merge certificate and private key to a PKCS#12(PFX) file

@Michael, mentioned PEM header and footer stands for PKCS#8 private key.


Post your comment:

Please, solve this little equation and enter result below. Captcha