Convert P7B to PFX with OpenSSL

Something I have to do every time when updating SSL certificates on IIS web servers. 


P7B (PKCS#7)

A P7B file is a text file that contains certificates and chain certificates, but does not contain the private key.


A PFX file is a binary format file for storing the server certificate, any intermediate certificates, and the private key in one encrypt-able file.

Convert P7B to PFX

Note that in order to do the conversion, you must have both the certificates cert.p7b file and the private key cert.key file.

$ openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

From the man page of pkcs7:

  1. -print_certs: prints out any certificates contained in the file.
  2. -in: specifies the input filename to read from.
  3. -out: specifies the output filename to write to.
$ openssl pkcs12 -export -in cert.cer -inkey cert.key -out cert.pfx

From the man page of pkcs12:

  1. -export: specifies that a PKCS#12 file will be created.
  2. -in: specifies filename of the PKCS#12 file to be parsed.
  3. -inkey: specifies the file to read private key from.
  4. -out: specifies the filename to write the PKCS#12 file to.

Create a Self-Signed PFX with OpenSSL

2048 bits RSA self-signed certificate valid for 5 years:

$ openssl req -new -x509 -days 1825 -sha256 -nodes -out cert.crt \
-keyout cert.key

From the openssl man page:

  1. req: creates and processes certificate requests.
  2. -new: generates a new certificate request.
  3. -x509: outputs a self signed certificate instead of a certificate request.
  4. -days: when the -x509 option is being used this specifies the number of days to certify the certificate for.
  5. -sha256: specifies the message digest to sign the request with.
  6. -nodes: private key will not be encrypted.
  7. -out: specifies the output filename to write to.
  8. -keyout: filename to write the newly created private key to.
$ openssl pkcs12 -export -in cert.crt -inkey cert.key -out cert.pfx

Generate a New Private Key and Certificate Signing Request (CSR)

$ openssl req -new -newkey rsa:2048 -sha256 -nodes -out cert.csr \
-keyout cert.key

The -newkey option creates a new certificate request and a new private key.

Create RSA Private Key from PFX

$ openssl pkcs12 -in cert.pfx -nocerts -nodes | openssl rsa -out rsaprivkey.pem

9 thoughts on “Convert P7B to PFX with OpenSSL

    • Hi guys, is it in any way possible to import the .P7B into the PFX file without the private key?

    • Hi Martin. PFX archive must contain a certificate (possibly with its assorted set of CA certificates) and the corresponding private key. If you have no private key, then you cannot make a PFX.

    • Check the man pages, they have everything you need to perform the conversion.

      You have to supply a file to read private key from. If not present, then a private key must be present in the input file.

  1. Dear Tomas,
    How can I create a .cert file with pkcs7 print_certs from an UTF-8 p7b file?

    • I’m not sure that I understand your question, I have a feeling that you’ll need to consult OpenSSL documentation.

Leave a Reply

Your email address will not be published. Required fields are marked *