Certificate Conversion

Convert certificates and private keys between formats for use with Bindplane collectors.

Bindplane Requirement

Bindplane collectors only support PEM format. All certificates and keys must be converted to PEM before use.

When Conversion is Needed

Format Identification

You need to convert if:

Binary/unreadable files - DER format certificates or keys
.p12 or .pfx files - PKCS#12/PFX bundle files (common on Windows)
Encrypted private keys - Keys with password protection
Wrong key format - PKCS#1 vs PKCS#8 (though both are supported)

How to identify your file format:

# View the file
head -n 5 certificate.crt

# If you see this → PEM format
# -----BEGIN CERTIFICATE-----

# If you see binary gibberish → DER format

# If you have .p12 or .pfx extension → PKCS#12 bundle

# View the file
Get-Content C:\certs\certificate.crt -First 5

# If you see this → PEM format
# -----BEGIN CERTIFICATE-----

# If you see binary gibberish → DER format

# If you have .p12 or .pfx extension → PKCS#12 bundle

Bindplane Requirements Recap

Requirement

Status

PEM format

SUPPORTED (Base64-encoded text)

DER format

NOT supported

PKCS#12/PFX

NOT supported (must extract)

Private key encryption

NOT supported (must decrypt)

DER to PEM Conversion

DER is a binary encoding format. Bindplane requires PEM (text-based).

Convert DER Certificate to PEM

openssl x509 -inform DER -in certificate.der -out certificate.pem

Verify the conversion:

head -n 5 certificate.pem
# Should show: -----BEGIN CERTIFICATE-----

Convert DER Private Key to PEM

For RSA keys:

openssl rsa -inform DER -in private.der -out private.pem

For ECDSA keys:

openssl ec -inform DER -in private.der -out private.pem

For generic private keys:

openssl pkey -inform DER -in private.der -out private.pem

Platform-Specific Notes

Linux/macOS:

OpenSSL is usually pre-installed
Commands work as shown above

Windows:

Install OpenSSL from: https://slproweb.com/products/Win32OpenSSL.html
Or use Windows Subsystem for Linux (WSL)
Or use Git Bash which includes OpenSSL

PKCS#12/PFX to PEM Conversion

PKCS#12 (.p12) and PFX (.pfx) are bundle formats that contain certificates and private keys together, often used on Windows.

Extract Certificate from PKCS#12/PFX

openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem

Flags explained:

-clcerts: Extract only client certificates (not CA certs)
-nokeys: Don't extract private keys

You'll be prompted for:

Import password (the password protecting the .pfx file)

Extract Private Key from PKCS#12/PFX

Step 1: Extract encrypted key

openssl pkcs12 -in certificate.pfx -nocerts -out encrypted-key.pem

Flags explained:

-nocerts: Don't extract certificates

You'll be prompted for:

Import password (the password protecting the .pfx file)
PEM pass phrase (new password for the extracted key)

Step 2: Decrypt the private key

Required Step

The extracted key is encrypted and must be decrypted for use with Bindplane collectors.

openssl rsa -in encrypted-key.pem -out key.pem

You'll be prompted for:

The PEM pass phrase you set in Step 1

Secure the decrypted key:

chmod 600 key.pem
chown <collector-user>:<collector-group> key.pem

Extract CA Certificates from PKCS#12/PFX

If your .pfx bundle contains CA certificates:

openssl pkcs12 -in certificate.pfx -cacerts -nokeys -out ca-chain.pem

Flags explained:

-cacerts: Extract only CA certificates
-nokeys: Don't extract private keys

Complete PKCS#12/PFX Extraction Example

Extract everything from a .pfx file:

# Extract certificate
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem

# Extract and decrypt private key
openssl pkcs12 -in certificate.pfx -nocerts -out encrypted-key.pem
openssl rsa -in encrypted-key.pem -out key.pem

# Extract CA certificates (if present)
openssl pkcs12 -in certificate.pfx -cacerts -nokeys -out ca-chain.pem

# Clean up encrypted key (optional)
rm encrypted-key.pem

# Secure the private key
chmod 600 key.pem

# Extract certificate
openssl pkcs12 -in C:\certs\certificate.pfx -clcerts -nokeys -out C:\certs\certificate.pem

# Extract and decrypt private key
openssl pkcs12 -in C:\certs\certificate.pfx -nocerts -out C:\certs\encrypted-key.pem
openssl rsa -in C:\certs\encrypted-key.pem -out C:\certs\key.pem

# Extract CA certificates (if present)
openssl pkcs12 -in C:\certs\certificate.pfx -cacerts -nokeys -out C:\certs\ca-chain.pem

# Clean up encrypted key (optional)
Remove-Item C:\certs\encrypted-key.pem

# Secure the private key
icacls C:\certs\key.pem /inheritance:r /grant:r "$($env:USERNAME):(R)"

Windows-Specific Considerations

Exporting from Windows Certificate Store:

If your certificate is in the Windows Certificate Store:

Open certmgr.msc (Certificate Manager)
Navigate to the certificate
Right-click → All Tasks → Export
Export as .pfx with private key
Use the extraction commands above

Decrypting Private Keys

Encrypted private keys have password protection and cannot be used with Bindplane collectors.

Identify Encrypted Keys

head -n 10 server.key

# Encrypted keys show one of these:
# -----BEGIN ENCRYPTED PRIVATE KEY-----
# Proc-Type: 4,ENCRYPTED
# DEK-Info: DES-EDE3-CBC,...

Decrypt RSA Keys (PKCS#1)

openssl rsa -in encrypted-key.pem -out decrypted-key.pem

You'll be prompted for:

The passphrase protecting the encrypted key

Decrypt ECDSA Keys

openssl ec -in encrypted-key.pem -out decrypted-key.pem

Decrypt Generic Private Keys (PKCS#8)

Works for any key type:

openssl pkey -in encrypted-key.pem -out decrypted-key.pem

Verify Key is Decrypted

head -n 5 decrypted-key.pem

# Should show (NO "ENCRYPTED"):
# -----BEGIN PRIVATE KEY-----
# or -----BEGIN RSA PRIVATE KEY-----
# or -----BEGIN EC PRIVATE KEY-----

# Should NOT show:
# -----BEGIN ENCRYPTED PRIVATE KEY-----

Get-Content C:\certs\decrypted-key.pem -First 5

# Should show (NO "ENCRYPTED"):
# -----BEGIN PRIVATE KEY-----
# or -----BEGIN RSA PRIVATE KEY-----
# or -----BEGIN EC PRIVATE KEY-----

# Should NOT show:
# -----BEGIN ENCRYPTED PRIVATE KEY-----

Security Considerations

Security Best Practice

Decrypted private keys are more vulnerable. Protect them with:

Strict file permissions (600)
Secure storage locations
Access controls
Encryption at rest (disk encryption)
Audit logging

Secure your decrypted keys:

# Set restrictive permissions
chmod 600 decrypted-key.pem

# Set ownership to collector user
chown collector-user:collector-group decrypted-key.pem

# Verify permissions
ls -la decrypted-key.pem
# Should show: -rw------- (600)

Key Format Conversion

PKCS#1 to PKCS#8

Convert traditional RSA format to PKCS#8:

openssl pkcs8 -topk8 -nocrypt -in rsa-key.pem -out pkcs8-key.pem

Flags:

-topk8: Convert to PKCS#8
-nocrypt: Don't encrypt the output key

Result:

Changes header from -----BEGIN RSA PRIVATE KEY-----
To -----BEGIN PRIVATE KEY-----

PKCS#8 to PKCS#1

Convert PKCS#8 to traditional RSA format:

openssl rsa -in pkcs8-key.pem -out rsa-key.pem

Result:

Changes header from -----BEGIN PRIVATE KEY-----
To -----BEGIN RSA PRIVATE KEY-----

Note: Both PKCS#1 and PKCS#8 formats are supported by Bindplane collectors. This conversion is only needed if you have specific format requirements.

Certificate Chain Assembly

Concatenating Certificates

Create a full certificate chain by concatenating individual certificates:

cat server.crt intermediate.crt root.crt > fullchain.crt

Correct order:

Server/leaf certificate (first)
Intermediate CA certificate(s)
Root CA certificate (optional, last)

Example Chain Assembly

# You have separate files:
# - server.crt (your server certificate)
# - intermediate.crt (intermediate CA)
# - root.crt (root CA - optional)

# Create fullchain
cat server.crt intermediate.crt > fullchain.crt

# Verify the chain
openssl certs -in fullchain.crt -text -noout

# You have separate files:
# - server.crt (your server certificate)
# - intermediate.crt (intermediate CA)
# - root.crt (root CA - optional)

# Create fullchain
Get-Content server.crt, intermediate.crt | Set-Content fullchain.crt

# Verify the chain
openssl certs -in C:\certs\fullchain.crt -text -noout

Verify Certificate Order

Check that certificates are in the correct order:

# Split the chain for inspection
awk 'BEGIN {c=0} /BEGIN CERT/{c++} {print > "cert" c ".pem"}' fullchain.crt

# Check each certificate
openssl x509 -in cert1.pem -noout -subject -issuer
openssl x509 -in cert2.pem -noout -subject -issuer

# cert1 should be your server cert (subject = your server)
# cert2 should be intermediate (issuer of cert1)

# Split the chain for inspection
$content = Get-Content C:\certs\fullchain.crt -Raw
$certs = [regex]::Matches($content, '(?s)(-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----)')
for ($i = 0; $i -lt $certs.Count; $i++) {
    $certs[$i].Value | Set-Content "cert$($i+1).pem"
}

# Check each certificate
openssl x509 -in cert1.pem -noout -subject -issuer
openssl x509 -in cert2.pem -noout -subject -issuer

# cert1 should be your server cert (subject = your server)
# cert2 should be intermediate (issuer of cert1)

Testing the Chain

Test that clients can verify the full chain:

# Test with OpenSSL s_client
openssl s_client -connect collector.example.com:10514 -showcerts

# Look for "Verify return code: 0 (ok)"

Generating Test Certificates

For testing and development, you can generate self-signed certificates.

Generate Self-Signed Certificate with OpenSSL

Quick single command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
  -days 365 -nodes \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=collector.example.com"

Flags explained:

-x509: Generate self-signed certificate
-newkey rsa:4096: Generate 4096-bit RSA key
-keyout key.pem: Output key filename
-out cert.pem: Output certificate filename
-days 365: Valid for 365 days
-nodes: Don't encrypt the private key (no DES)
-subj: Certificate subject (customize as needed)

Generate Certificate with Subject Alternative Names (SANs)

Create a config file for SANs:

cat > san.cnf <<EOF
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = State
L = City
O = Organization
CN = collector.example.com

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = collector.example.com
DNS.2 = *.example.com
IP.1 = 192.168.1.10
EOF

@"
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = State
L = City
O = Organization
CN = collector.example.com

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = collector.example.com
DNS.2 = *.example.com
IP.1 = 192.168.1.10
"@ | Set-Content C:\certs\san.cnf

Generate the certificate:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
  -days 365 -nodes -config san.cnf

Generate Certificate Chain for Testing

Create a complete CA chain for testing:

Step 1: Generate Root CA

# Generate root CA key
openssl genrsa -out root-ca-key.pem 4096

# Generate root CA certificate
openssl req -x509 -new -key root-ca-key.pem -out root-ca.pem \
  -days 3650 -subj "/C=US/O=Test Org/CN=Test Root CA"

# Generate root CA key
openssl genrsa -out root-ca-key.pem 4096

# Generate root CA certificate
openssl req -x509 -new -key root-ca-key.pem -out root-ca.pem `
  -days 3650 -subj "/C=US/O=Test Org/CN=Test Root CA"

Step 2: Generate Intermediate CA

# Generate intermediate CA key
openssl genrsa -out intermediate-ca-key.pem 4096

# Generate intermediate CSR
openssl req -new -key intermediate-ca-key.pem -out intermediate-ca.csr \
  -subj "/C=US/O=Test Org/CN=Test Intermediate CA"

# Sign intermediate with root CA
openssl x509 -req -in intermediate-ca.csr -CA root-ca.pem \
  -CAkey root-ca-key.pem -CAcreateserial -out intermediate-ca.pem \
  -days 1825

# Generate intermediate CA key
openssl genrsa -out intermediate-ca-key.pem 4096

# Generate intermediate CSR
openssl req -new -key intermediate-ca-key.pem -out intermediate-ca.csr `
  -subj "/C=US/O=Test Org/CN=Test Intermediate CA"

# Sign intermediate with root CA
openssl x509 -req -in intermediate-ca.csr -CA root-ca.pem `
  -CAkey root-ca-key.pem -CAcreateserial -out intermediate-ca.pem `
  -days 1825

Step 3: Generate Server Certificate

# Generate server key
openssl genrsa -out server-key.pem 2048

# Generate server CSR
openssl req -new -key server-key.pem -out server.csr \
  -subj "/C=US/O=Test Org/CN=collector.example.com"

# Sign server cert with intermediate CA
openssl x509 -req -in server.csr -CA intermediate-ca.pem \
  -CAkey intermediate-ca-key.pem -CAcreateserial -out server.pem \
  -days 365

# Generate server key
openssl genrsa -out server-key.pem 2048

# Generate server CSR
openssl req -new -key server-key.pem -out server.csr `
  -subj "/C=US/O=Test Org/CN=collector.example.com"

# Sign server cert with intermediate CA
openssl x509 -req -in server.csr -CA intermediate-ca.pem `
  -CAkey intermediate-ca-key.pem -CAcreateserial -out server.pem `
  -days 365

Step 4: Create Fullchain

cat server.pem intermediate-ca.pem > fullchain.pem

Generate mTLS Test Certificates

Generate client certificates for mTLS testing:

# Generate client key
openssl genrsa -out client-key.pem 2048

# Generate client CSR
openssl req -new -key client-key.pem -out client.csr \
  -subj "/C=US/O=Test Org/CN=Test Client"

# Sign client cert with intermediate CA
openssl x509 -req -in client.csr -CA intermediate-ca.pem \
  -CAkey intermediate-ca-key.pem -CAcreateserial -out client.pem \
  -days 365

# Generate client key
openssl genrsa -out client-key.pem 2048

# Generate client CSR
openssl req -new -key client-key.pem -out client.csr `
  -subj "/C=US/O=Test Org/CN=Test Client"

# Sign client cert with intermediate CA
openssl x509 -req -in client.csr -CA intermediate-ca.pem `
  -CAkey intermediate-ca-key.pem -CAcreateserial -out client.pem `
  -days 365

For Testing Only

Self-signed certificates and test CAs should only be used for testing and development. For production, use certificates from a trusted Certificate Authority.

Conversion Troubleshooting

Issue: "unable to load certificate" or "unable to load private key"

Cause: Wrong input format specified.

Solution:

Verify the input format with file command or head
Try different -inform options (PEM, DER)
Check that the file is not corrupted

Issue: "bad decrypt" when decrypting

Cause: Wrong password or corrupted file.

Solution:

Verify the password is correct
Check the file is not corrupted
Try opening the file with other tools to verify

Issue: "no certificate matches private key"

Cause: Extracted wrong certificate from bundle.

Solution:

Re-extract with -clcerts to get only the client certificate
Verify certificate and key match using verification commands

PreviousTLS Concepts NextTesting and Verification

Last updated 1 day ago

Was this helpful?

Good afternoon

hashtagWhen Conversion is Needed

hashtagFormat Identification

hashtagBindplane Requirements Recap

hashtagDER to PEM Conversion

hashtagConvert DER Certificate to PEM

hashtagConvert DER Private Key to PEM

hashtagPlatform-Specific Notes

hashtagPKCS#12/PFX to PEM Conversion

hashtagExtract Certificate from PKCS#12/PFX

hashtagExtract Private Key from PKCS#12/PFX

hashtagExtract CA Certificates from PKCS#12/PFX

hashtagComplete PKCS#12/PFX Extraction Example

hashtagWindows-Specific Considerations

hashtagDecrypting Private Keys

hashtagIdentify Encrypted Keys

hashtagDecrypt RSA Keys (PKCS#1)

hashtagDecrypt ECDSA Keys

hashtagDecrypt Generic Private Keys (PKCS#8)

hashtagVerify Key is Decrypted

hashtagSecurity Considerations

hashtagKey Format Conversion

hashtagPKCS#1 to PKCS#8

hashtagPKCS#8 to PKCS#1

hashtagCertificate Chain Assembly

hashtagConcatenating Certificates

hashtagExample Chain Assembly

hashtagVerify Certificate Order

hashtagTesting the Chain

hashtagGenerating Test Certificates

hashtagGenerate Self-Signed Certificate with OpenSSL

hashtagGenerate Certificate with Subject Alternative Names (SANs)

hashtagGenerate Certificate Chain for Testing

hashtagGenerate mTLS Test Certificates

hashtagConversion Troubleshooting

hashtagIssue: "unable to load certificate" or "unable to load private key"

hashtagIssue: "bad decrypt" when decrypting

hashtagIssue: "no certificate matches private key"

When Conversion is Needed

Format Identification

Bindplane Requirements Recap

DER to PEM Conversion

Convert DER Certificate to PEM

Convert DER Private Key to PEM

Platform-Specific Notes

PKCS#12/PFX to PEM Conversion

Extract Certificate from PKCS#12/PFX

Extract Private Key from PKCS#12/PFX

Extract CA Certificates from PKCS#12/PFX

Complete PKCS#12/PFX Extraction Example

Windows-Specific Considerations

Decrypting Private Keys

Identify Encrypted Keys

Decrypt RSA Keys (PKCS#1)

Decrypt ECDSA Keys

Decrypt Generic Private Keys (PKCS#8)

Verify Key is Decrypted

Security Considerations

Key Format Conversion

PKCS#1 to PKCS#8

PKCS#8 to PKCS#1

Certificate Chain Assembly

Concatenating Certificates

Example Chain Assembly

Verify Certificate Order

Testing the Chain

Generating Test Certificates

Generate Self-Signed Certificate with OpenSSL

Generate Certificate with Subject Alternative Names (SANs)

Generate Certificate Chain for Testing

Generate mTLS Test Certificates

Conversion Troubleshooting

Issue: "unable to load certificate" or "unable to load private key"

Issue: "bad decrypt" when decrypting

Issue: "no certificate matches private key"