Can you please help me export the SSL certificate installed on my cPanel account? Please convert it from PEM format to PFX format.
This is a support request that we sometimes receive as a part of Our Server Management Services.
PEM format used is the normal SSL file format used in apache Linux operating systems. PFX files are typically used on Windows and macOS machines to import and export certificates and private keys.
Today, let us today discuss the method for this conversion in a cPanel server.
Why do we need to convert from PEM format to PFX?
PEM is the most common format used for SSL certificates. As we discussed earlier apache and other similar web servers use the certificates in PEM format. Also, it can be easily translated into readable data using a simple text editor.
However, PFX is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. Thus, it would be required to convert the certificate from PEM format to PFX format to export or import the certificates and private keys in Windows and macOS.
How to convert from PEM format to PFX?
The first step to convert the SSL certificate from PEM format to PFX format in cPanel would be to obtain the SSL certificate to be exported. The two different methods for it includes:
1. Obtain the combined file from the backend and split it up.
2. Obtain the certificates directly from the cPanel account.
Now, let’s look at each of these steps in detail.
Obtain the certificate from cPanel front end:
The SSL certificate installed on a domain can be easily obtained from the SSL/TLS option in cPanel with the steps below
- First, log in to cPanel and navigate to SSL/TLS section.
- Then, navigate to the “Install an SSL Website” by clicking on the “Manage SSL sites” option below the “Install and Manage SSL for your site (HTTPS)” section.
- Next, select a Domain from the required domain and click on Autofill by Domain.
- The certificate.crt, private.pem and ca.crt contents will be populated here.
- Copy the first part of the certificate (CRT) to certificate.crt, the second part (KEY) to private.pem and the third part (CABUNDLE) to ca.crt respectively.
Now, let us look at how to obtain the certificate from the backend.
Obtain the certificates from backend:
cPanel combines the certificate, private key, and certificate authority bundle into one single file named “combined”. This exact location of the file is /var/cpanel/ssl/apache_tls/DOMAINNAME/combined
The “combined” file contains the certificate.crt, private.pem and ca.crt in order.Each “part” starts and end with a bunch of “-” sign. For instance the private key starts and ends with
—–BEGIN RSA PRIVATE KEY—– —–END RSA PRIVATE KEY—–
Create separate files for each of the certificate, private key, and certificate authority bundle named certificate.crt, private.pem and ca.crt respectively. Then copy the keys from the combined file and paste in their respective individual files. It is important to make sure there are no extra whitespaces or any other characters that are not a part of the certificate.
Convert to PFX format
As we now have the keys in separate files, we can now proceed with exporting the whole key into PFX format. OpenSSL command below will perform this conversion:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile ca.crt For instance, $ openssl pkcs12 -export -out bobcares.com.pfx -inkey private.pem -in certificate.crt -certfile ca.crt
This command will prompt for a password. We need to use a secure random password. Also, we need to note down this password carefully as we will need it while importing the certificate.
Let us now look at a common error message seen during conversion.
Common Error Message
A common error message seen during this conversion is “No certificate matches private key”. It generally happens when there is something wrong with the certificate files. This error most probably shows that we have not copied the correct key part or have accidentally included whitespace or another character. The easiest solution would be to just recopy the key into the file.
[Need help to fix SSL errors? We are available 24×7.]
In short, the import and export of certificates and private keys on Windows and macOS machines may require the conversion of the SSL Certificate format from PEM to PFX. Today we saw how our Support Engineers perform the conversion from PEM format to PFX format.