How to convert .crt to .pem or .pkcs12 format
Showing results for 
Search instead for 
Did you mean: 

How to convert .crt to .pem or .pkcs12 format

L4 Transporter

Hi Guys,

I know this not the best place to put up this question, but I feel someone might have good experience or knowledge who can share it out. :smileyhappy:

I had a self generated certificate for SSL-VPN and Captive Portal on the Palo Alto.  I then generated a CSR for the same certificates and handed it over to the customer.  The customer then sent it to their CA for authorization and signing it.  Customer gets them back signed and in .crt format.

I then was asked to import it back on to the Palo Alto.  But PA only accepts .pem or .pkcs12 format.  From here I do not where to go and how to get this sorted out.

Any help on this would be great.




Accepted Solutions

L0 Member

Create CSR:
openssl req -new -newkey rsa:2048 -nodes -keyout vpn.key -out vpn.csr
Enter requested info
Upload vpn.csr to CA

Create PFX for PAN Device:
(If starting with .pb7 from CA)
openssl pkcs7 -print_certs -in vpn.p7b -out vpn-2012.crt  

If starting with (If starting with .crt or if you have converted to a .crt from CA)      

openssl pkcs12 -export -out vpn.pfx -inkey vpn.key -in vpn.crt -certfile ca.crt    
Enter Export Password: Enter password here - This will be passphrase when you upload into PAN Device)
Verifying - Enter Export Password: Re-Enter password here

Upload .pfx to PAN Device
Enter passphrase that you typed when you exported as a PFX

To get the ca.crt file, copy and paste the Intermediate CA and Root CA into a notepad file and rename to ca.crt

View solution in original post


L6 Presenter

openssl is your friend:

And regarding selfsigned certs I think this should work:

#openssl genrsa -des3 -out server.key 4096
#chmod 400 server.key
#openssl req -new -key server.key -out server.csr
#openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Install server.key and server.crt on the PA unit and the server.crt on the clients.

Hi There, this does not particularly help me.  I am now stuck with the private key.  While creating a self signed certificate on the Palo Alto, we are never asked for a private key.  While generating a CSR using IIS, I was never asked for a private key.  Now that I have to install the certificate back on the firewall; I need the private key and I see no way to find out what the private key was :smileysad:

Hi Kalyanram,

A few questions here:

1. What format is your certificate in? (.pfx, .pem? )

2. When trying to import the certificate onto PAN, what file format have you chosen on PAN?



Hi Ashan,

To give you a quick heads up; I am very lame with certificates.

1. What format is your certificate in? (.pfx, .pem? )

--> It is in the format of .crt.  I found this out by looking into the properties of the certificate.  Is that the correct way into looking for what the format is?

2. When trying to import the certificate onto PAN, what file format have you chosen on PAN?

--> I have choosen both formats i.e .PKCS12 and PEM.  When using PKCS12 format; I uploaded the .crt file and entered the passphrase and then 2mins time; "Import of Certificate and Private Key failed.  Failed to extract certificate".

When I use .PEM format; I uploaded the same certificate and then checked Import Private Key after which I had no idea of what to do.  Then tried doing the same process without checking "Import Private Key".  The certificate then was successfully imported onto the Firewall after which I then checked the option "Trusted Root CA".  Will this work??

Thank you


Hi Kal,

we had made our certificates all within our Windows Server (TM).

Your windows admin shall produce a certificate "for all issues" and sign it by his root-ca. Thereafter he has to export both certificates (the just generated private key and the just signed publich key) in one file. The format of the file has to be "pfx". Dont forget to ask which passphrase was used.



Hi Kal,

If the certificate is in .crt format, that means its already in PEM format.  PEM certificates usually have extensions such as .pem and .crt.  Since its in .crt, I beleive you only have the certificate and not its associated key.  You can confirm by opening the .crt file in notepad.  If you only see characters dilineated by -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, that means that this is just the certificate.  To import PEM format certificate, we require the associated key file also.  Normally the certificate and its key are both in the same file in .pem certificates.  The key part is dilineated by ------BEGIN RSA PRIVATE KEY----- and ------END RSA PRIVATE KEY-----.

Here is what you need to do:

- Go back to the IIS server and re-export the certificate in .pfx format (pkcs12)

You now have 2 options.

1. Import the .pfx file as it is into PAN by chossing the pkcs12 format during import.

2. Convert the .pfx into .pem and then import the .pem certificate onto PAN.  The following doument describes option 2 towards the end of the document:



Hi Ashan,

Many thanks for the information.  I will try it out today and let you know the outcome.



I've used a slightly different procedure for genning/signing internal certs via my internal MS CA for installation within my PA units.

PA has the following doc:

which references this verisign doc:

The procedure involves the use of the openssl tool for genning a key/CSR.  Once that's complete, take the CSR and sign it using the MS CA.  Using web certificate services on my CA, I can download the signed certificate (using the std web server template) from the CA as a base64 encoded *.cer file.  With that in hand, I've been able to import the cert and key into my PA units.  I did the original procedure for 3.1.6, but it's worked for 4.0.x as well as 4.1.x (though the interface for importing the certs has changed slightly through the different revisions).  You'd also likely need to import the CA certs into the PA units for the validation to work properly.


Hey Guys,

Just for a quick update; none of these steps worked for me.  Tried everything and was completely messed up.  Hence I used openssl from one of my servers and generated a new CSR and Private key.  I used the following commands to get it generated

openssl genrsa -out ca.key 2048

openssl req -new -key ca.key -out ca.csr

Job done.

Thanks for the inputs.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!