Hello S-1-1-0, PowerShell Crypto Guy still here and today we will talk about the subject. Sometimes you have to use 3rd party applications/tools for certificate request generation. Some of them uses Windows certificate store to store request and a corresponding private keys, but others generates a request file and separate file with unencrypted private key. As a common example are makecert.exe and openssl.exe tools. These applications creates a request file (mostly with .CSR or .REQ file extension) and private key file (mostly with .KEY or .PVK file extension) for UNIX-like systems compatibility. Once certificate request is signed you get a standard X.509 certificate file.

The problem occurs when you try to import this certificate to the Windows certificate store. Obviously it will be imported without private key because Certificate Import Wizard don't know anything about separate private key file. There are at least 3 tools that can join (or convert) these files to a single pkcs12/PFX file:

The following syntax is used for OpenSSL:

OpenSSL.exe pkcs12 –export –in certfile.cer –inkey certfile.key –out certfile.pfx

Also here is online (web-based) version of OpenSSL tool: https://www.sslshopper.com/ssl-converter.html

The following syntax is used for certutil:

certutil –MergePFX certfile.cer certfile.pfx

Since there is no way to specify private key file for –MergePFX parameter you must consider the following requirements:

  • Private key file MUST have .KEY extension;
  • certificate and private key files MUST have the same base file name (file name excluding extension);
  • certificate and private key file must be placed in the same directory.

The following syntax is used for pvk2pfx:

pvk2pfx –pvk certfile.pvk –spc certfile.cer –out certfile.pfx

And the last what I want to tell here. Unfortunately there are no universal tool for all cases. This really depends on an application that was used for key file generation. For example a key file created by OpenSSL is not compatible with certutil and pvk2pfx. A key created by makecert is compatible with pvk2pfx only and so on.


Share this article:



paldies, noderēja


Well done, good article.

Matt B

Absoltuely brilliant, simple instructions. For Windows users certutil is the easiest way to combine two text files (a cer and private key) into a PFX.

Well done sir. Thank you.

Parth Patel

Using openssl on linux:

openssl pkcs12 -export -out /tmp/mg/cert.pfx -inkey /tmp/mg/privat.key -in /tmp/mg/public.crt -certfile /tmp/mg/ca.crt

Notice I  added the -certfile argument!


Thanks mate. Great tool


Certutil command helped me a lot without installing the other tools.

Thank you!!

Chris A

Vladims - great article. Being that it was written in 2011, do you happen to know if incompatibilities still exist between openssl, certutil and pvk2pfx? I did some digging but couldn't find any information regarding this.  I do have empirical experience suggesting the same, but what I attempted was also years ago.

Vadims Podāns

Chris, nothing has changed since then.


What is the file format for the private key when using OpenSSL? I have a simple text file with the -----BEGIN PRIVATE KEY-----xxxxx-----END PRIVATE KEY-----. I am getting an error: unable to load private key
26188:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: ANY PRIVATE KEY

Vadims Podāns

@Michael, mentioned PEM header and footer stands for PKCS#8 private key.

Bijay Kumar Sharma

I've a Certificate file (.csr) and a Key file (.key). My requirement is to generate a Java Key Store file (.jks) by merging these 2 files. How to do this? It's bit urgent for me. Please let me know if anyone can help me.

Vadims Podāns

> I've a Certificate file (.csr) and a Key file (.key). My requirement is to generate a Java Key Store file (.jks) by merging these 2 files.

Please, ask your quesion on StackOverflow.

Keith Thomas

So simple a process once you've explained it yet so hard to find elswhere. Great job, much appreciated!!

Bob Hanson

A simple solution explained well.  Thank you!


It is very deceitful to use – instead of the dash ascii in command line examples on this page. I wasted half an hour debugging why it does not work after copying your example.


Digicert has a tool that doees it on Windows if certutil doesnt play ball


Post your comment:

Please, solve this little equation and enter result below. Captcha