Generate a CSR

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Decrypt PKCS12 file (to create a .ovpn file)

openssl pkcs12 -info -in clientcert.p12 -nodes

Extract the private key to key_encrypted.pem

openssl pkcs12 -nocerts -in "YourPKCSFile" -out private.key -password pass:PASSWORD -passin pass:PASSWORD -passout pass:TempPasswd

openssl pkcs12 -nocerts -in cert.p12 -out key_encrypted.pem

After giving a temp .pem password, we want decrypt the key:

openssl rsa -in private.key -out "NewKeyFile.key" -passin pass:TemporaryPassword

openssl rsa -in key_encrypted -out key.pem

Create a .pfx file from the various certs

openssl pkcs12 -export -out -inkey privkey.pem -in fullchain.pem -password pass:xxx

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem



openssl help pkcs12


X.690 – Different encodings

  • BER
  • CER
  • DER
  • more… (XER, PER etc…)

X.509 – public key certificates

There are several commonly used filename extensions for X.509 certificates. Unfortunately, some of these extensions are also used for other data such as private keys.

  • .pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“
  • .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
  • .p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
  • .p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)
  • .pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)

PKCS#7 is a standard for signing or encrypting (officially called “enveloping”) data. Since the certificate is needed to verify signed data, it is possible to include them in the SignedData structure. A .P7C file is a degenerated SignedData structure, without any data to sign.[citation needed]

PKCS#12 evolved from the personal information exchange (PFX) standard and is used to exchange public and private objects in a single file.

** Main **

Certificate authority
Key length
Digest Algorithm
Lifetime (days)
Common Name

Country Code
State or Province
Organizational Unit

** Certificate Attributes **

Certificate Type:
User Certificate
Server Certificate

Alternative Name (extension to X.509), can be more than one, can be of the following types:
FQDN or Hostname
IP Address
email address
openssl pkcs12 -in my-DC-CA.p12 -nocerts -out privatekey.pem
openssl pkcs12 -in my-DC-CA.p12 -clcerts -nokeys -out publicCert.pem
openssl rsa -in privateKey.pem -out privateKey_decrypted.pem