How to Convert a CER to PFX

Setting up a website means asking visitors to trust that you've taken steps to secure the privacy of their data and their interactions with you. That requires using the Secure Socket Layer, or SSL, which encrypts the information passing between your site and the browser, which in turn means you need a digital certificate. These come in multiple file formats, with extensions including .CER and .PFX.

A digital certificate is a website's equivalent of showing some form of secure ID, like a passport. Your visitor's browser, whether it's Chrome, Firefox, Safari or something else, contains a list of trusted companies called certificate authorities. There are a number of those, including DigiCert, Entrust, GlobalSign and GoDaddy. Their job is to validate that a domain name corresponds to a legitimate site, and in some cases, they also validate the ownership of the site.

If the browser connecting to your site finds a valid, up-to-date certificate from an authority it trusts, it connects happily and exchanges encryption keys with your server, allowing the visitor to browse. If it doesn't, it'll show visitors a warning that the site is insecure and may attempt to steal their data.

Digital certificates come in a small number of formats, two of which are more important than the others. The most widely used is the PEM format, which keeps your site's data in an ASCII file. Your domain name's private security key is typically kept in a separate file for security reasons. This type of certificate is used in Linux environments and on Apache servers, which account for a large percentage of the internet.

PEM certificates can have different filename extensions, including .PEM, .CRT and .CER. You'll also see the .KEY extension, which is the separate file for the security key.

The other is the PKCS#12 format. This certificate is in binary form, so you can't read it in a text editor as you can with the PEM format. It's used on Windows-based systems and servers, which are less common than their Linux equivalents but still have significant market share. Their filename extensions are .PFX and .P12.

Certificate formats can potentially create an problem when your certificate was issued in one format, and your site's hosting service requires a different one. For example, you might choose to host your site on Microsoft's Azure, which expects a PKCS#12 certificate with the .PFX extension, but you have a PEM certificate with the common .CER extension.

The usual way to convert between formats is with an open-source tool called OpenSSL, which can convert back and forth between the ASCII and binary certificates and apply an appropriate filename and extension. Linux users can install OpenSSL from their distro's repositories, and Windows users can find a number of programs built on OpenSSL to download. OpenSSL for Windows requires the 2008 Visual C++ redistributables runtime, so you need to install that as well.

OpenSSL runs from the command line, so you have to open a terminal window. In Linux, you do that with the keyboard shortcut Ctrl+Alt+F1 or Ctrl+Alt+T. Windows 10 users should open the Run box in their menu, type CMD into the box, and then click Ctrl+Shift+Enter to run the command prompt as an administrator.

After you have the command prompt, type the command to turn your .CER file and its associated .KEY file into a PFX. The syntax looks like this:

openssl pkcs12 -export -in yourcertificate.cer -inkey yourkey.key -out yourcertificate.pfx

You replace "yourcertificate" and "yourkey" with the correct filenames for your actual certificate, and when you click OpenSSL, it creates the PFX file. You can also go the other way from .PFX to .CER by reversing the filenames. The same technique works for changing a certificate's filename extension. You can convert .PEM to .CRT or .CRT to .CER, as needed.

If you're uncomfortable with using the command line, there are tools other than OpenSSL you can use to convert your certificate. A simple online search for "SSL certificate conversion tool" finds several, from various vendors. Certificate authority DigiCert, for example, has one of its own for Windows users.