How to Convert a PFX Certificate to JKS, P12, CRT?

Converting PFX to Other Format

Personal Information Exchange (.pfx) Files are used for code signing an application. It is a password-protected file certificate that can store multiple cryptographic objects in a single file.

Starting in June 2023, Generating a PFX for a code signing certificate is no longer possible. The new industry requirements from the CA/B Forum require code signing certificates to be issued in .crt format and loaded inside a hardware USB token or Cloud HSM.

Converting PFX certificates to other formats such as JKS (Java KeyStore), P12 (PKCS 12), and CRT (Certificate) involves using tools like OpenSSL and keytool. The conversion steps are explained in detail below:

Converting PFX to JKS

Use the “keytool” command provided by Java. Ensure Java is installed and the “keytool” is accessible from the command line.

Run the below command to extract the certificates and keys from the .pfx file.

    openssl pkcs12 -in yourfile.pfx -out temp.pem -nodes

    Run below two lines as one command in key tool to create a trust certificate keystore

    keytool -importkeystore -srckeystore yourfile.pfx -srcstoretype pkcs12 -destkeystore yourkeystore.jks -deststoretype jks

    You will be prompted to enter passwords for the source keystore and the destination keystore.

    Converting PFX to P12 (PKCS 12)

    The process of converting PFX to P12 is quite straightforward because PFX is essentially the same as PKCS 12 format. You can rename the file or convert it using OpenSSL.

    Rename:

    mv yourfile.pfx yourfile.p12

    Convert:

    openssl pkcs12 -in yourfile.pfx -out yourfile.p12 -nodes”

    Converting PFX to CRT

    The following prerequisites will be required to convert a PFX file to CRT.

    • Make sure OpenSSL is installed on your device.
    • The PFX file you want to convert.
    • A command-line interface (CLI) or terminal.

    Open the command prompt and right-click on it to choose “Run as Administrator

      In the Command Prompt, change the directory to the OpenSSL bin folder:

      cd "C:\Program Files\OpenSSL-Win64\bin"

      Make sure that the Command Prompt path changes to:

      C:\Program Files\OpenSSL-Win64\bin>

      Then, you’ll need to extract the private key from the PFX file. Run the following command in your CLI or terminal:

      openssl pkcs12 -in yourfile.pfx -nocerts -out certificate.key

      Enter the password for the PFX file when prompted. Then, enter a new password for the key file twice. If done correctly, this process will save the private key as certificate.key without any error messages.

      Next, you need to extract the public certificate from the PFX file. Use the following command:

      openssl pkcs12 -in yourfile.pfx -out certificate.cer -nodes

      Enter the PFX password again when prompted. If successful, this will save the certificate as the certificate.cer

      Code Signing Tutorials

      Cheap Code Signing Certificates

      Prevent Code Tampering and Authenticate Code Integrity by Digitally Sign your Code with Trusted Code Signing Certificates.

      Starting at Just $215.99/Year

      Related posts:

      1. How to Convert an Exported PFX File to PVK & SPC Files [A Detailed Guide]
      2. What is a PFX Certificate? How to Create a PFX File?
      3. Exporting Your Code Signing Certificate as a PFX File in Chrome
      4. How to Export Code Signing PFX Certificate with the DigiCert Utility Tool
      Janki Mehta

      Janki Mehta

      Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.