# Certificate Conversion {% hint style="danger" %} **Bindplane Requirement** Bindplane collectors only support PEM format. All certificates and keys must be converted to PEM before use. {% endhint %} ## When Conversion is Needed ### Format Identification **You need to convert if:** 1. **Binary/unreadable files** - DER format certificates or keys 2. **`.p12` or `.pfx` files** - PKCS#12/PFX bundle files (common on Windows) 3. **Encrypted private keys** - Keys with password protection 4. **Wrong key format** - PKCS#1 vs PKCS#8 (though both are supported) **How to identify your file format:** {% tabs %} {% tab title="Linux/macOS" %} ```bash # View the file head -n 5 certificate.crt # If you see this → PEM format # -----BEGIN CERTIFICATE----- # If you see binary gibberish → DER format # If you have .p12 or .pfx extension → PKCS#12 bundle ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell # View the file Get-Content C:\certs\certificate.crt -First 5 # If you see this → PEM format # -----BEGIN CERTIFICATE----- # If you see binary gibberish → DER format # If you have .p12 or .pfx extension → PKCS#12 bundle ``` {% endtab %} {% endtabs %} ## Bindplane Requirements Recap | Requirement | Status | | ---------------------- | ------------------------------- | | PEM format | SUPPORTED (Base64-encoded text) | | DER format | NOT supported | | PKCS#12/PFX | NOT supported (must extract) | | Private key encryption | NOT supported (must decrypt) | ## DER to PEM Conversion DER is a binary encoding format. Bindplane requires PEM (text-based). ### Convert DER Certificate to PEM {% tabs %} {% tab title="Linux/macOS" %} ```bash openssl x509 -inform DER -in certificate.der -out certificate.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell openssl x509 -inform DER -in C:\certs\certificate.der -out C:\certs\certificate.pem ``` {% endtab %} {% endtabs %} **Verify the conversion:** {% tabs %} {% tab title="Linux/macOS" %} ```bash head -n 5 certificate.pem # Should show: -----BEGIN CERTIFICATE----- ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell Get-Content C:\certs\certificate.pem -First 5 # Should show: -----BEGIN CERTIFICATE----- ``` {% endtab %} {% endtabs %} ### Convert DER Private Key to PEM **For RSA keys:** {% tabs %} {% tab title="Linux/macOS" %} ```bash openssl rsa -inform DER -in private.der -out private.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell openssl rsa -inform DER -in C:\certs\private.der -out C:\certs\private.pem ``` {% endtab %} {% endtabs %} **For ECDSA keys:** {% tabs %} {% tab title="Linux/macOS" %} ```bash openssl ec -inform DER -in private.der -out private.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell openssl ec -inform DER -in C:\certs\private.der -out C:\certs\private.pem ``` {% endtab %} {% endtabs %} **For generic private keys:** {% tabs %} {% tab title="Linux/macOS" %} ```bash openssl pkey -inform DER -in private.der -out private.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell openssl pkey -inform DER -in C:\certs\private.der -out C:\certs\private.pem ``` {% endtab %} {% endtabs %} ## Platform-Specific Notes **Linux/macOS:** * OpenSSL is usually pre-installed * Commands work as shown above **Windows:** * Install OpenSSL from: * Or use Windows Subsystem for Linux (WSL) * Or use Git Bash which includes OpenSSL ## PKCS#12/PFX to PEM Conversion PKCS#12 (`.p12`) and PFX (`.pfx`) are bundle formats that contain certificates and private keys together, often used on Windows. ### Extract Certificate from PKCS#12/PFX {% tabs %} {% tab title="Linux/macOS" %} ```bash openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell openssl pkcs12 -in C:\certs\certificate.pfx -clcerts -nokeys -out C:\certs\certificate.pem ``` {% endtab %} {% endtabs %} **Flags explained:** * `-clcerts`: Extract only client certificates (not CA certs) * `-nokeys`: Don't extract private keys **You'll be prompted for:** * Import password (the password protecting the `.pfx` file) ### Extract Private Key from PKCS#12/PFX **Step 1: Extract encrypted key** {% tabs %} {% tab title="Linux/macOS" %} ```bash openssl pkcs12 -in certificate.pfx -nocerts -out encrypted-key.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell openssl pkcs12 -in C:\certs\certificate.pfx -nocerts -out C:\certs\encrypted-key.pem ``` {% endtab %} {% endtabs %} **Flags explained:** * `-nocerts`: Don't extract certificates **You'll be prompted for:** * Import password (the password protecting the `.pfx` file) * PEM pass phrase (new password for the extracted key) **Step 2: Decrypt the private key** {% hint style="warning" %} **Required Step** The extracted key is encrypted and must be decrypted for use with Bindplane collectors. {% endhint %} {% tabs %} {% tab title="Linux/macOS" %} ```bash openssl rsa -in encrypted-key.pem -out key.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell openssl rsa -in C:\certs\encrypted-key.pem -out C:\certs\key.pem ``` {% endtab %} {% endtabs %} **You'll be prompted for:** * The PEM pass phrase you set in Step 1 **Secure the decrypted key:** {% tabs %} {% tab title="Linux/macOS" %} ```bash chmod 600 key.pem chown : key.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell icacls C:\certs\key.pem /inheritance:r /grant:r "$($env:USERNAME):(R)" ``` {% endtab %} {% endtabs %} ### Extract CA Certificates from PKCS#12/PFX If your `.pfx` bundle contains CA certificates: {% tabs %} {% tab title="Linux/macOS" %} ```bash openssl pkcs12 -in certificate.pfx -cacerts -nokeys -out ca-chain.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell openssl pkcs12 -in C:\certs\certificate.pfx -cacerts -nokeys -out C:\certs\ca-chain.pem ``` {% endtab %} {% endtabs %} **Flags explained:** * `-cacerts`: Extract only CA certificates * `-nokeys`: Don't extract private keys ### Complete PKCS#12/PFX Extraction Example Extract everything from a `.pfx` file: {% tabs %} {% tab title="Linux/macOS" %} ```bash # Extract certificate openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem # Extract and decrypt private key openssl pkcs12 -in certificate.pfx -nocerts -out encrypted-key.pem openssl rsa -in encrypted-key.pem -out key.pem # Extract CA certificates (if present) openssl pkcs12 -in certificate.pfx -cacerts -nokeys -out ca-chain.pem # Clean up encrypted key (optional) rm encrypted-key.pem # Secure the private key chmod 600 key.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell # Extract certificate openssl pkcs12 -in C:\certs\certificate.pfx -clcerts -nokeys -out C:\certs\certificate.pem # Extract and decrypt private key openssl pkcs12 -in C:\certs\certificate.pfx -nocerts -out C:\certs\encrypted-key.pem openssl rsa -in C:\certs\encrypted-key.pem -out C:\certs\key.pem # Extract CA certificates (if present) openssl pkcs12 -in C:\certs\certificate.pfx -cacerts -nokeys -out C:\certs\ca-chain.pem # Clean up encrypted key (optional) Remove-Item C:\certs\encrypted-key.pem # Secure the private key icacls C:\certs\key.pem /inheritance:r /grant:r "$($env:USERNAME):(R)" ``` {% endtab %} {% endtabs %} ## Windows-Specific Considerations **Exporting from Windows Certificate Store:** If your certificate is in the Windows Certificate Store: 1. Open `certmgr.msc` (Certificate Manager) 2. Navigate to the certificate 3. Right-click → All Tasks → Export 4. Export as `.pfx` with private key 5. Use the extraction commands above ## Decrypting Private Keys Encrypted private keys have password protection and cannot be used with Bindplane collectors. ### Identify Encrypted Keys {% tabs %} {% tab title="Linux/macOS" %} ```bash head -n 10 server.key # Encrypted keys show one of these: # -----BEGIN ENCRYPTED PRIVATE KEY----- # Proc-Type: 4,ENCRYPTED # DEK-Info: DES-EDE3-CBC,... ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell Get-Content C:\certs\server.key -First 10 # Encrypted keys show one of these: # -----BEGIN ENCRYPTED PRIVATE KEY----- # Proc-Type: 4,ENCRYPTED # DEK-Info: DES-EDE3-CBC,... ``` {% endtab %} {% endtabs %} ### Decrypt RSA Keys (PKCS#1) {% tabs %} {% tab title="Linux/macOS" %} ```bash openssl rsa -in encrypted-key.pem -out decrypted-key.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell openssl rsa -in C:\certs\encrypted-key.pem -out C:\certs\decrypted-key.pem ``` {% endtab %} {% endtabs %} **You'll be prompted for:** * The passphrase protecting the encrypted key ### Decrypt ECDSA Keys {% tabs %} {% tab title="Linux/macOS" %} ```bash openssl ec -in encrypted-key.pem -out decrypted-key.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell openssl ec -in C:\certs\encrypted-key.pem -out C:\certs\decrypted-key.pem ``` {% endtab %} {% endtabs %} ### Decrypt Generic Private Keys (PKCS#8) Works for any key type: {% tabs %} {% tab title="Linux/macOS" %} ```bash openssl pkey -in encrypted-key.pem -out decrypted-key.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell openssl pkey -in C:\certs\encrypted-key.pem -out C:\certs\decrypted-key.pem ``` {% endtab %} {% endtabs %} ### Verify Key is Decrypted {% tabs %} {% tab title="Linux/macOS" %} ```bash head -n 5 decrypted-key.pem # Should show (NO "ENCRYPTED"): # -----BEGIN PRIVATE KEY----- # or -----BEGIN RSA PRIVATE KEY----- # or -----BEGIN EC PRIVATE KEY----- # Should NOT show: # -----BEGIN ENCRYPTED PRIVATE KEY----- ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell Get-Content C:\certs\decrypted-key.pem -First 5 # Should show (NO "ENCRYPTED"): # -----BEGIN PRIVATE KEY----- # or -----BEGIN RSA PRIVATE KEY----- # or -----BEGIN EC PRIVATE KEY----- # Should NOT show: # -----BEGIN ENCRYPTED PRIVATE KEY----- ``` {% endtab %} {% endtabs %} ### Security Considerations {% hint style="warning" %} **Security Best Practice** Decrypted private keys are more vulnerable. Protect them with: * Strict file permissions (600) * Secure storage locations * Access controls * Encryption at rest (disk encryption) * Audit logging {% endhint %} **Secure your decrypted keys:** {% tabs %} {% tab title="Linux/macOS" %} ```bash # Set restrictive permissions chmod 600 decrypted-key.pem # Set ownership to collector user chown collector-user:collector-group decrypted-key.pem # Verify permissions ls -la decrypted-key.pem # Should show: -rw------- (600) ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell # Restrict permissions to current user only icacls C:\certs\decrypted-key.pem /inheritance:r /grant:r "$($env:USERNAME):(R)" # Verify permissions icacls C:\certs\decrypted-key.pem ``` {% endtab %} {% endtabs %} ## Key Format Conversion ### PKCS#1 to PKCS#8 Convert traditional RSA format to PKCS#8: {% tabs %} {% tab title="Linux/macOS" %} ```bash openssl pkcs8 -topk8 -nocrypt -in rsa-key.pem -out pkcs8-key.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell openssl pkcs8 -topk8 -nocrypt -in C:\certs\rsa-key.pem -out C:\certs\pkcs8-key.pem ``` {% endtab %} {% endtabs %} **Flags:** * `-topk8`: Convert to PKCS#8 * `-nocrypt`: Don't encrypt the output key **Result:** * Changes header from `-----BEGIN RSA PRIVATE KEY-----` * To `-----BEGIN PRIVATE KEY-----` ### PKCS#8 to PKCS#1 Convert PKCS#8 to traditional RSA format: {% tabs %} {% tab title="Linux/macOS" %} ```bash openssl rsa -in pkcs8-key.pem -out rsa-key.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell openssl rsa -in C:\certs\pkcs8-key.pem -out C:\certs\rsa-key.pem ``` {% endtab %} {% endtabs %} **Result:** * Changes header from `-----BEGIN PRIVATE KEY-----` * To `-----BEGIN RSA PRIVATE KEY-----` {% hint style="info" %} **Note:** Both PKCS#1 and PKCS#8 formats are supported by Bindplane collectors. This conversion is only needed if you have specific format requirements. {% endhint %} ## Certificate Chain Assembly ### Concatenating Certificates Create a full certificate chain by concatenating individual certificates: {% tabs %} {% tab title="Linux/macOS" %} ```bash cat server.crt intermediate.crt root.crt > fullchain.crt ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell Get-Content server.crt, intermediate.crt, root.crt | Set-Content fullchain.crt ``` {% endtab %} {% endtabs %} **Correct order:** 1. Server/leaf certificate (first) 2. Intermediate CA certificate(s) 3. Root CA certificate (optional, last) ### Example Chain Assembly {% tabs %} {% tab title="Linux/macOS" %} ```bash # You have separate files: # - server.crt (your server certificate) # - intermediate.crt (intermediate CA) # - root.crt (root CA - optional) # Create fullchain cat server.crt intermediate.crt > fullchain.crt # Verify the chain openssl certs -in fullchain.crt -text -noout ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell # You have separate files: # - server.crt (your server certificate) # - intermediate.crt (intermediate CA) # - root.crt (root CA - optional) # Create fullchain Get-Content server.crt, intermediate.crt | Set-Content fullchain.crt # Verify the chain openssl certs -in C:\certs\fullchain.crt -text -noout ``` {% endtab %} {% endtabs %} ### Verify Certificate Order Check that certificates are in the correct order: {% tabs %} {% tab title="Linux/macOS" %} ```bash # Split the chain for inspection awk 'BEGIN {c=0} /BEGIN CERT/{c++} {print > "cert" c ".pem"}' fullchain.crt # Check each certificate openssl x509 -in cert1.pem -noout -subject -issuer openssl x509 -in cert2.pem -noout -subject -issuer # cert1 should be your server cert (subject = your server) # cert2 should be intermediate (issuer of cert1) ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell # Split the chain for inspection $content = Get-Content C:\certs\fullchain.crt -Raw $certs = [regex]::Matches($content, '(?s)(-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----)') for ($i = 0; $i -lt $certs.Count; $i++) { $certs[$i].Value | Set-Content "cert$($i+1).pem" } # Check each certificate openssl x509 -in cert1.pem -noout -subject -issuer openssl x509 -in cert2.pem -noout -subject -issuer # cert1 should be your server cert (subject = your server) # cert2 should be intermediate (issuer of cert1) ``` {% endtab %} {% endtabs %} ### Testing the Chain Test that clients can verify the full chain: {% tabs %} {% tab title="Linux/macOS" %} ```bash # Test with OpenSSL s_client openssl s_client -connect collector.example.com:10514 -showcerts # Look for "Verify return code: 0 (ok)" ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell # Test with OpenSSL s_client openssl s_client -connect collector.example.com:10514 -showcerts # Look for "Verify return code: 0 (ok)" ``` {% endtab %} {% endtabs %} ## Generating Test Certificates For testing and development, you can generate self-signed certificates. ### Generate Self-Signed Certificate with OpenSSL **Quick single command:** {% tabs %} {% tab title="Linux/macOS" %} ```bash openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \ -days 365 -nodes \ -subj "/C=US/ST=State/L=City/O=Organization/CN=collector.example.com" ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem ` -days 365 -nodes ` -subj "/C=US/ST=State/L=City/O=Organization/CN=collector.example.com" ``` {% endtab %} {% endtabs %} **Flags explained:** * `-x509`: Generate self-signed certificate * `-newkey rsa:4096`: Generate 4096-bit RSA key * `-keyout key.pem`: Output key filename * `-out cert.pem`: Output certificate filename * `-days 365`: Valid for 365 days * `-nodes`: Don't encrypt the private key (no DES) * `-subj`: Certificate subject (customize as needed) ### Generate Certificate with Subject Alternative Names (SANs) Create a config file for SANs: {% tabs %} {% tab title="Linux/macOS" %} ```bash cat > san.cnf < fullchain.pem ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell Get-Content server.pem, intermediate-ca.pem | Set-Content fullchain.pem ``` {% endtab %} {% endtabs %} ### Generate mTLS Test Certificates Generate client certificates for mTLS testing: {% tabs %} {% tab title="Linux/macOS" %} ```bash # Generate client key openssl genrsa -out client-key.pem 2048 # Generate client CSR openssl req -new -key client-key.pem -out client.csr \ -subj "/C=US/O=Test Org/CN=Test Client" # Sign client cert with intermediate CA openssl x509 -req -in client.csr -CA intermediate-ca.pem \ -CAkey intermediate-ca-key.pem -CAcreateserial -out client.pem \ -days 365 ``` {% endtab %} {% tab title="Windows PowerShell" %} ```powershell # Generate client key openssl genrsa -out client-key.pem 2048 # Generate client CSR openssl req -new -key client-key.pem -out client.csr ` -subj "/C=US/O=Test Org/CN=Test Client" # Sign client cert with intermediate CA openssl x509 -req -in client.csr -CA intermediate-ca.pem ` -CAkey intermediate-ca-key.pem -CAcreateserial -out client.pem ` -days 365 ``` {% endtab %} {% endtabs %} {% hint style="warning" %} **For Testing Only** Self-signed certificates and test CAs should only be used for testing and development. For production, use certificates from a trusted Certificate Authority. {% endhint %} ## Conversion Troubleshooting ### Issue: "unable to load certificate" or "unable to load private key" **Cause:** Wrong input format specified. **Solution:** * Verify the input format with `file` command or `head` * Try different `-inform` options (PEM, DER) * Check that the file is not corrupted ### Issue: "bad decrypt" when decrypting **Cause:** Wrong password or corrupted file. **Solution:** * Verify the password is correct * Check the file is not corrupted * Try opening the file with other tools to verify ### Issue: "no certificate matches private key" **Cause:** Extracted wrong certificate from bundle. **Solution:** * Re-extract with `-clcerts` to get only the client certificate * Verify certificate and key match using verification commands --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bindplane.com/how-to-guides/security-and-tls/using-tls/reference/certificate-conversion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.