How to buy and convert SSL certificate to PFX format

1/ The overall process of buying an SSL certificate

Buying an SSL certificate is about :

  • We send a Certificate Signing Request (CSR) to the SSL provider to ask them to verify our identity & giving us a certificate to prove our identity.
  • The SSL provider approve that request and give back a Certificate (*.CRT) that can be used to prove our identity. This certificate is signed by a CA via a Digital Signature, so that our client can use this Signature to verify the certificate.

Therefore, when we buy an SSL certificate. We have a few steps:

  1. Generate a CSR. This step will generate two information
    • A CSR file which contains the public key & generic information about the certificate. You can send this file to the SSL provider to generate the certificate for you.
    • A private key: this is a private information, you should store this information and should not send it to anyone else, including your SSL provider.
  2. You send the *.CSR file to the SSL Provider to get their Certificate.
  3. SSL provider send back a *.CRT certificate file. You can use this file to finish the SSL request.

2/ How to convert SSL Certificate to *.PFX

In this post, I assume that we have two files:

  • A *.CRT file from the SSL Provider
  • A *.KEY file from us, when we generate the CRS file to give the SSL provider.

The problems is: there are some Web Service like IIS, or Azure,.. that requires a *.PFX file.

So that, in this post, We will discuss how to use “openssl” to convert our SSL Certificate to *.PFX

It’s a simple task, you can use following command to do the importing:

openssl pkcs12 -export -out .\output.pfx -inkey ".\privatekey.key" -in "certificate.crt" -password "pass:yourpasswordhere" -name "name here"

Finish, now you can use your *.PFX to import to your server!

Note 1:

  • The password of the *.PFX output is in the form “pass:<YOUR_PASS_HERE>“. If my password is 123456 then the syntax is :
    -password “pass:123456”

Note 2:

  • There is a TIP: If you have installed the Git client. You can use the openssl.exe in “C:\Program Files\Git\usr\bin\openssl.exe”

3/ How to check if the certificate matches a Private Key?

In some situations, we are not sure if the *.key & the *.crt is the correct pair or not ?.

We can use bellow command to check:

For your SSL certificate: openssl x509 –noout –modulus –in <file>.crt | openssl md5

For your RSA private key: openssl rsa –noout –modulus –in <file>.key | openssl md5

For your CSR: openssl req -noout -modulus -in <file>.csr | openssl md5
  • The output is the MD5 hash so that we can compare the hash value.
  • If all the three-match, the SSL certificate matches the Private Key.

4/ How do Web Browsers can verify an SSL certificate when accessing a Web site ?.

Basically at the high level. When the Web Browsers connect to the Web Server. The Web Server will send back a Certificate.

This certificate includes two major information:

  • Information about the Certificate: Issuer, Host Name, Expire Date,…
  • A Digital Signature to verify the authenticity of the information in the Certificate.

Then the Web Browser will use the the above information to verify the Certificate returned from the server.

The most importance thing is Web Browsers always have their database about trusted “Issuer” to make sure the Certificate is generated by a known trustworthy CA and It’s not from a harmful source.

That means, if your certificates are not in the trusted database of the consumer (e.g Web Browser), then your SSL certificates are likely to be marked as dangerous/untrustworthy.



[2] Well know Certificate format file




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.