Help Center/ Cloud Certificate Manager/ FAQs/ Others/ SSL Certificate Management/ How Do I Convert a Certificate into the PEM Format?
Updated on 2023-01-19 GMT+08:00
View PDF

How Do I Convert a Certificate into the PEM Format?

Certificate formats can be converted mutually.

It is recommended that OpenSSL be used to convert certificates in other formats into the PEM format. The following examples illustrate some popular conversion methods.

Converting the Certificate Format to PEM

Table 1 Certificate format conversion commands

Format

Conversion Method (Using OpenSSL)

CER/CRT

Rename the cert.crt certificate file to cert.pem.

PFX
  • Obtain a private key. As an example, run the following command to convert cert.pfx into key.pem:

    openssl pkcs12 -in cert.pfx -nocerts -out key.pem

  • Obtain a certificate. As an example, run the following command to convert cert.pfx into cert.pem:

    openssl pkcs12 -in cert.pfx -nokeys -out cert.pem

P7B
  1. Convert a certificate. As an example, run the following command to convert cert.p7b into cert.cer:

    openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

  2. Rename obtained certificate file cert.cer to cert.pem.

DER
  • Obtain a private key. As an example, run the following command to convert privatekey.der into privatekey.pem:

    openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

  • Obtain a certificate. As an example, run the following command to convert cert.cer into cert.pem:

    openssl x509 -inform der -in cert.cer -out cert.pem

PKCS8 Certificate Encoding Format

As Huawei Cloud WAF, ELB, and CDN do not support the PKCS8 format, an error will occur if you upload a certificate in PKCS8 format to SCM and then deploy it on WAF, ELB, or CDN.

  • If the private key file of a certificate starts with -----BEGIN PRIVATE KEY-----, the certificate is in PKCS8 format.
  • If the private key file of a certificate starts with -----BEGIN RSA PRIVATE KEY-----, the certificate is in PKCS1 format.

If your public or private key is in PKCS8 format, perform the following operations to use the PKCS8 certificate to WAF and CDN services:

  1. Check whether the certificate is in PEM format.

  2. Run the following commands to convert format from PKCS8 to PKCS1:

    • Converting the private key format from PKCS8 to PKCS1:

      openssl rsa -in pkcs8.pem -out pkcs1.pem

    • Converting the public key format from PKCS8 into PKCS1:

      openssl rsa -pubin -in public.pem -RSAPublicKey_out

  3. Upload the converted certificate to SCM. For details, see Uploading a Certificate.
  4. Deploy the certificate to the corresponding Huawei Cloud service. For details, see Deploying a Certificate to a Cloud Product.