How To: Convert PKCS12/PKCS7 SSL Certificates Into PEM Format



  • Common issue with loading SSL certificates in the portal is the format of the certificates.
  • Certificates and private keys must be in a PEM format. If the certificate is in a PKCS12, PKCS7, or other formats, the certificate will need to be converted.
  • The intent of this article is to teach you how to convert a certificate that is in PKCS12 or PKCS7 into PEM Format.
  • Conversion PEM to PFX with password

PEM vs PKCS12/PKCS7 Extensions

F5 BIG-IP systems only use SSL certificates and keys that are stored in the PEM format with a .crt extension.

  • PEM is the most common format for Certificate Authority (CA) certificates.
  • PEM certificates are Base64-encoded ASCII files that can contain multiple certificates and Private keys within a single file.

Other web servers, such as Microsoft Internet Information Server (IIS), use SSL certificates in a PKCS format (PKCS#12 or PKCS#7).

  • The PKCS#12 format is a binary file that typically has a .pfx or .p12 extension. PKCS#12 files can contain Server certificates, any Intermediate (or Chain) certificates, and Private keys in a single binary file.
  • The PKCS#7 format is a Base64-encoded ASCII file that typically has a .p7b or .p7c extension. PKCS#7 files only contain Server and Intermediate certificates. PKCS#7 files do not contain any Private keys.



  • SSL Cert/Profile
    • Cert/Key
  • Proxy



Certificates and private keys must be in a PEM format. If the certificate is in a PKCS12, PKCS7, or other formats, the certificate will need to be converted. To do so, do the following using the OpenSSL toolset:

  1. PKCS12
  • First you will need to create the private key
openssl pkcs12 -in certpkcs12_F5.pfx -out F5.key -nocerts -nodes
  •  Now you can create the certificate
openssl pkcs12 -in certpkcs12_F5.pfx -out F5.pem -nokeys -nodes


  • This command will put key and cert in the same file

PEM Format

openssl pkcs12 -in certpkcs12_F5.pfx -out F5_2.pem -nodes

CER Format

openssl pkcs12 -in certpkcs12_F5.pfx -out certificate.cer -nodes

Example of certificate.cer


Note: Since PKCS#12 is a password-protected format, in order to execute all the above commands you’ll be prompted for the password that has been used when creating the .pfx file.

    2. PKCS7

PEM Format

openssl pkcs7 -print_certs -in certificate.p7b -out certificate_pkcs7_to_pem.pem

Cer Format

openssl pkcs7 -print_certs -in certificate.p7b -out certificate_pkcs7_to_cer.cer


Example of certificate_pkcs7_to_pem


  • Now, you just have to upload de files into the portal.

 Note: If you use the -nodesswitch, the system will discard the password on the key and the password will not be required when importing the file to the Silverline Portal.

Another way to configure the certificates in the Portal:

  • Using a text editor, divide the new PEM-encoded file into a separate certificate and private key files by performing the following procedure:
    • Cut the text beginning with '--BEGIN CERTIFICATE--' and ending with '--END CERTIFICATE, making sure to include the BEGIN CERTIFICATE and END CERTIFICATE statements. 
    • Paste the certificate into the portal 


  • Cut the text beginning with BEGIN RSA PRIVATE KEY and ending with END RSA PRIVATE KEY, making sure to include the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY statements.
    • Paste the key into the portal.


Conversion PEM to PFX with password:

➜ openssl pkcs12 -export -out wwwf5com.pfx -inkey wwwf5com.key -in wwwf5com.cert -certfile intermediate-88888.cert
Enter Export Password:
Verifying - Enter Export Password:


Related Content

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request