Combine CRT and KEY Files into a PFX with OpenSSL

Say for example you have a .crt and a .key file which had the private key in it. What if you have to combine the .crt and .key file into a password protected .pfx file so that you can import the certificate and private key onto the servers? That’s what I had to do. I’ve tried to make this entry as no-nonsense as possible, so I put together sample screenshots of what the process looks like.

Example files when starting:

First we need to extract the root CA certificate from the existing .crt file, because we need this later. So open up the .crt and click on the Certification Path tab.


Click the topmost certificate (In this case VeriSign) and hit View Certificate. Select the Details tab and hit Copy to File…


Select Base-64 encoded X.509 (.CER) certificate


Save it as rootca.cer or something similar. Place it in the same folder as the other files.


Rename it from rootca.cer to rootca.crt

Now we should have 3 files in our folder from which we can create a PFX file.


Here is where we need OpenSSL. We can either download and install it on Windows, or simply open terminal on OSX.

Open terminal on OSX and CD to the directory the files are in. For Windows users, copy and paste the above three files into the default OpenSSL install location on Windows: C:\OpenSSL-Win32\bin. Then open a command prompt and change directories to C:\OpenSSL-Win32\bin. From this point the commands are the same.

We can see the three files.


The command syntax for my example is:

openssl pkcs12 -export -out -inkey -in -certfile rootca.crt


If everything was entered correctly, you should be prompted to create a password for the PFX file. Enter a password and confirm it. When finished you should have a working PFX file to import on your Windows boxes either via the MMC or IIS. You will need the password when importing the pfx.


Posted in Uncategorized
7 comments on “Combine CRT and KEY Files into a PFX with OpenSSL
  1. A says:

    Batch file below to help with instructions above on a windows machine.

    @echo off
    REM This will check the common folders where openssl.exe is installed and copy the .exe over to c:\temp
    REM add the “IF Exist” lines as necessary.
    IF EXIST “C:\Program Files (x86)\GnuWin32\bin\openssl.exe” copy “C:\program files (x86)\gnuwin32\bin\openssl.exe” “C:\temp” /y

    TITLE Disclaimer and Instruction
    echo ## This script will merge a cert file and a key file to create a new PFX file.
    echo ## This scripts automates some steps and instructions mentioned on…..
    echo ##
    echo ## It is assumed by the script that openssl.exe is installed in temp, if its not, then copy it over manually
    cd temp

    set pfxname=
    Title Please Enter the name of PFX file you would like to create without extension
    set /P pfxname=Please Enter PFX File Name Without Extension: %=%
    set keyname=
    Title Please Enter the name of existing certificate key file name without extension
    set /P keyname=Please Enter Key File Name Without Extension: %=%
    set certname=
    Title Please Enter the name of existing certificate file name without extension
    set /P certname=Please Enter Cert File Name Without Extension: %=%
    set rootcacertname=
    Title Please Enter the name of existing rootca certificate file name without extension
    set /P rootcacertname=Please Enter RootCA Cert File Name Without Extension: %=%
    openssl pkcs12 -export -out %pfxname%.pfx -inkey %keyname%.key -in %certname%.crt -certfile %rootcacertname%.crt
    start c:\temp
    TITLE PFX file has been created
    echo PFX file has been created

  2. ordinarynimda says:

    Great article, precise & concise. Everything (including the setting up of an SSL-enabled web site through IIS’s import PFX wizard) worked like a charm from the first try!

  3. Max says:

    But where do i get a .key file?!? Comodo only sent me a .crt file? God this certificate industry is stupid!

    • dragon788 says:

      You should have the .key file in the same directory as the .csr that you were required to upload in order to request your certificate.

  4. as says:

    fantastic!! in simple language with clear pics many thanks

  5. Jayadheer Reddy Mantrala says:

    Thanks, Saved my day.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

  • Reading an article about CarPlay...that might actually be the drive time between midnight and 3 2 hours ago
  • Code that never gets used by a customer has another name: waste. 2 days ago
  • The company that fixes modern Bluetooth problems will make a killing. That is all. 2 days ago

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 37 other followers

%d bloggers like this: