How to get PFX from CRT files

Question

The .PFX file is required for IIS and Tomcat (HTTPS).
There are several .CRT files:

AAACertificateServices.crt
private.key
SectigoRSADomainValidationSecureServerCA.crt
STAR_domain_com.crt
USERTrustRSAAAACA.crt

How can I get a .PFX file from the above files using openssl?

I tried it like this:

openssl pkcs12 -export -in  STAR_domain_com.crt -inkey private.key -out STAR_domain_com.pfx

but the certification chain is incomplete

As a result, I don't see the certification chain: empty certification chain

I want to get like for Let's Encrypt: valid certification chain

Been awhile since I've done this, but as I recall you need to specify a separate `-certfile` for each of the intermediate and root CA certs being put in the PFX. The `-in` argument should be as you have it, associated to The One end-cert associated to the private key (which it looks like you're passing correctly). And everything is in PEM (again, been awhile so take that for what it's worth). IIS has some additional options that are required (friendly-name, for example). So prolly wanna check on that. — WhozCraig, Jun 28 '22 at 08:34

score 0 · Answer 1 · answered Jun 28 '22 at 09:24

To convert .crt to .pfx, we need CSA certificate (Private Key) provided by hosting provider. Below are the steps to convert this:

Download and install OpenSSL software from below link based on your system type https://slproweb.com/products/Win32OpenSSL.html
Run the following command on command prompt:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

OR

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.txt -in certificate.crt -certfile CACert.crt

Here:

Certificate.crt = Your-domain-Name.crt

CACert.crt = NetworkSolutions_CA.crt

certificate.pfx is the new name of generated file.

PrivateKey can be in .key or .txt format

After completing this process now we have certificate.pfx file so go to IIS Server certificates in IIS Manager.

There is an import link button on right side, click on this and select the converted certificate and enter password which is enter at the time of creation of the .pfx file and complete the process.

Now select your site on IIS and right click on this, select "Edit Binding" and on the new popup window select type as https:// and "Hosting name" is your domain name and all other field is as it is, click on ok to complete this process.

Now restart IIS and your certificate is working fine with your site.

https://stackoverflow.com/a/12798206/13336642

It would be more appropriate to mark the question as duplicate instead of copying the answer. — Piotr P. Karwasz, Jun 28 '22 at 10:03
I have seen this answer, and others similar. The answer is general. He doesn't give a solution in my case. I can't get the certification chain (see screenshots in the question) — i'm guru, Jun 28 '22 at 11:15

How to get PFX from CRT files

1 Answers1