Kaspersky Security Center

Converting a PFX certificate to the PEM format

8 April 2024

ID 201428

To use a PFX certificate in Kaspersky Security Center Web Console, you must first convert it to the PEM format by using any convenient OpenSSL-based cross-platform utility.

To convert a PFX certificate to the PEM format in the Windows operating system:

  1. In an OpenSSL-based cross-platform utility, execute the following commands:

    openssl pkcs12 -in <filename.pfx> -clcerts -nokeys -out server.crt

    openssl pkcs12 -in <filename.pfx> -nocerts -nodes -out key.pem

    As a result, you get a public key as a .crt file and a private key as a passphrase-protected .pem file.

  2. Make sure that the .crt and .pem files are generated to the same folder where the .pfx file is stored.
  3. If the .crt or .pem file contains the "Bag Attributes", delete these attributes by using any convenient text editor, and then save the file.
  4. Restart the Windows service.
  5. Kaspersky Security Center Web Console does not support passphrase-protected certificates. Therefore, run the following command in an OpenSSL-based cross-platform utility to remove a passphrase from the .pem file:

    openssl rsa -in key.pem -out key-without-passphrase.pem

    Do not use the same name for the input and output .pem files.

    As a result, the new .pem file is unencrypted. You do not have to enter a passphrase to use it.

The .crt and .pem files are ready to use, so you can specify them in the Kaspersky Security Center Web Console installer.

To convert a PFX certificate to the PEM format in the Linux operating system:

  1. In an OpenSSL-based cross-platform utility, execute the following commands:

    openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.crt

    openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > key.pem

  2. Make sure that the certificate file and the private key are generated to the same directory where the .pfx file is stored.
  3. Kaspersky Security Center Web Console does not support passphrase-protected certificates. Therefore, run the following command in an OpenSSL-based cross-platform utility to remove a passphrase from the .pem file:

    openssl rsa -in key.pem -out key-without-passphrase.pem

    Do not use the same name for the input and output .pem files.

    As a result, the new .pem file is unencrypted. You do not have to enter a passphrase to use it.

The .crt and .pem files are ready to use, so you can specify them in the Kaspersky Security Center Web Console installer.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.