SSL certificates can exist in several different forms, and you may occasionally find that the certificate you acquire from a commercial certificate authority is in a different format than what is required by the application that you are attempting to secure. Recently, for example, I was working on a project in which an application required me to provide an SSL certificate in the form of a PFX file. However, the certificate authority from which I purchased the certificate issues certificates only in P7B format. Thankfully, SSL certificate conversion isn't just possible; it's relatively easy.
One of the most widely used tools for converting SSL certificates to another format is OpenSSL. OpenSSL is a free, open source tool that is capable of performing any number of SSL certificate-related tasks. You can download the latest version of OpenSSL here. If you need a Windows version of the tool, you can find it here.
Working With OpenSSL
Admittedly, there is a bit of a learning curve associated with OpenSSL. OpenSSL is a command line tool, and it can do far more than just certificate conversions. For example, you can use OpenSSL to generate keys, troubleshoot TLS connections and calculate digests. As you would probably expect from such a comprehensive tool, the OpenSSL command syntax tends to be complex. In spite of the tool’s overall complexity, certificate conversions usually aren’t that difficult.
When you are converting a certificate, the first parameter that you will usually need to provide is the type of certificate that you are working with. x509 is perhaps the most commonly used value, but other possibilities include things like cr12pkcs7, pkcs7 and pkcs12.
Other required values can vary depending on the type of conversion that you are trying to perform. In the vast majority of conversions you will need to use the -in and -out parameters. These parameters allow you to specify your input files and output files, respectively. The input file is the certificate that you want to convert, and the output file will be the filename that is assigned to the certificate post conversion.
Another commonly used pair of parameters is -inform and -outform. These parameters allow you to specify the input format and the output format. In other words, the -inform parameter allows you to tell OpenSSL what type of certificate you want to convert, while -outform lets you specify what type of certificate you want to create. The valid arguments for both of these parameters include DER, NET and PEM. Keep in mind that you may not always have to use both -inform and -outform. Sometimes you will only need to use one of these parameters, and occasionally you may find that neither is required.
So, with that said, let’s take a look at a couple of sample conversion commands. If for example, you want to convert a certificate from .PEM to .DER format, you can do so with this command:
Openssl x509 -in sample.pem -outform der -out sample.der
The conversion process works similarly if you want to convert a pkcs12 certificate to .CER format. An example of such a command might be:
Openssl pkcs12 -in sample.pfx -out certificate.cer -nodes
Notice that this conversion didn’t require the use of the -inform and -outform parameters. It did, however, use the -nodes parameter, which tells Openssl not to encrypt the output key.
Although OpenSSL works, using it isn't always the best experience. I have used OpenSSL a number of times, and while I have always been able to accomplish my certificate conversion goals, OpenSSL can be extremely picky about the command syntax. If you are not a big fan of using command line tools, or if you are having trouble making OpenSSL do what you need it to do, there is another option.
SSL Shopper provides a free, Web-based SSL certificate conversion tool. This tool does the same thing as OpenSSL, but it uses a simple GUI interface that makes the conversion process a lot easier.
Which Tool Should You Use?
From a security standpoint, you are better off using OpenSSL as opposed to the online certificate conversion utility. This is especially if you are converting a certificate to or from PFX format.
OpenSSL is a standalone utility that you can install locally, on your own machine. This means that when you use OpenSSL, you aren’t transmitting potentially sensitive information across the Internet. This might not be a huge issue for some types of certificate conversions, but if you are converting to or from PFX format, then you will have to provide a private key, and it’s usually a bad idea to transmit your private key over the internet.