Generating a PKCS12 (PFX) Via OpenSSL

Sometimes there are cases when you have a separate private key/certificate pair (perhaps with an intermediate or two) that need to be combined into a single file.  This merge can be performed on the command line using OpenSSL.

openssl pkcs12 -export -in my.cer -inkey my.key -out mycert.pfx

This is the most basic use case and assumes that we have no intermediates, the private key has no password associated, my.cer is a PEM encoded file, and that we wish to supply a password interactively to protect the output file.  Great, but what if that’s not true?

Common Optional Flags

-passin If your private key has a password, you can supply it via this flag (Example: -passin pass:mypass).  Note: This flag is not necessary as OpenSSL will ask you for the password interactively if it detects that the private key is passworded, but can be useful for automation.

-in You can add extra certificates via additional -in parameters. (Example: -in anothercert.cer)

-inform If your certificates are DER (binary) encoded rather than PEM (base64) use this flag (Example: -inform DER)

-password You can use this flag to specify the output file’s password in a non-interactive fashion (Example: -password pass:mypass).  Note: Again, this is useful primarily to reduce interactivity and increase automation/scripting capability.

Much more advanced behavior is available, but if you need that it’s probably time to check the man page.