Convert .crt file to .cer and .key

Question

I was asked to help converting a certificate for a renewal. I was given the domainname.crt file along with some intermediate .crt files, but no .key file. They want me to convert the CRT to both a .CER and a .KEY file.

I have looked at the following (among many other sites) but they either say I need the .key file, which I don't have, or that I have to install it locally and then export it, but when using MMC and trying to export it the .PFX option is grayed out.

http://community.spiceworks.com/topic/367133-i-cant-convert-a-ssl-crt-to-pfx-i-need-help-with-this

I also tried the OpenSSL command PKCS12 -EXPORT... to convert it to a .P12 and I get an error for "unable to load private key". If I open it and choose "Copy To File..." I can obtain a .CER file but nothing more.

Thank you for your help.

Answer 1

You don't need to convert a CRT to a PFX. You can convert a CRT to a CER, and from there you can load it into the Certificate Store.

https://support.comodo.com/index.php?/Knowledgebase/Article/View/361/17/how-do-i-convert-crt-file-into-the-microsoft-cer-format

1. Right-click the CRT file and select "Open".
2. Navigate to the "Details" tab.
3. Click "Copy to File..."
4. Click "Next".
5. Select the "Base-64 encoded X.509 (.CER)" option, and click "Next".
6. Give your export file a name (e.g., "www.mysite.com-2019.cer"), and click "Save".
7. Click "Next".
8. Confirm the details, and click "Finish".
9. Open IIS, and navigate to the "Server Certificates" page.
10. Click "Complete Certificate Request" (on the right-nav).
11. Select your new CER file, specify a friendly name of your choosing (e.g., "www.mysite.com-2019"), and click "OK".

You should see the new cert listed in the "Server Certificates" page, under the "Friendly Name" that you chose.

Answer 2

Is the private key in the certificate file? In other words, in there a section that starts with

-----BEGIN RSA PRIVATE KEY-----

in the file?

If not, then the private key is stored in a separate file.

In any case, to renew a certificate, you don't need a certificate, but a certificate signing request (CSR), which you will send to the CA, and you will receive the certificate in return (alternatively, in some cases the CA may generate a new certificate using the previous stored CSR).

You can generate a new key with:

openssl genrsa -out <private key file name> 2048

then generate the CSR with:

openssl req -new -key <private key file name> -out <csr file name>

You keep the key, send the CSR to the CA. On return, you get the certificate, which together with the intermediate certificates and the private key, should be provided to the software used. In some cases they need to be in separate files, in others you can just lump them up together in a single file.