Generating a PEM file from a Root Certificate Authority (Root CA) in Microsoft ADCS

Shuvro
Post View Count: 142
Reading Time: 2 minutes

Generating a PEM file from a Root Certificate Authority (Root CA) in Microsoft ADCS involves exporting the root certificate and converting it into the PEM format, which is commonly used in Linux environments, web servers, and various security applications. Note that certificates

Here’s a step-by-step guide to help you generate a PEM file from your Root CA:

PEM File Generation from Root CA in ADCS

Step 1: Export the Root CA Certificate

  1. Open Certification Authority console (certsrv.msc).
  2. Right-click the CA name → Properties.
  3. Go to the General tab → Click View Certificate.
  4. In the Certificate window, go to the Details tab → Click Copy to File.
  5. Use the Certificate Export Wizard:
    • Choose DER encoded binary X.509 (.CER) or Base-64 encoded X.509 (.CER).
    • Save the file as RootCA.cer.

If you choose Base-64 format, the file will already be in PEM format but with a .cer extension. You can simply rename it to .pem.

Step 2: Convert to PEM Format (if needed)

If you exported in DER format, you’ll need to convert it using OpenSSL:

openssl x509 -inform DER -in RootCA.cer -out RootCA.pem

If you exported in Base-64 format, you can rename the file:

mv RootCA.cer RootCA.pem

Step 3: Verify the PEM File

Open the RootCA.pem file in a text editor. It should look like this:

—–BEGIN CERTIFICATE—–

MIID…

…rest of base64 data…

—–END CERTIFICATE—–

This format is compatible with most Linux-based systems, web servers (Apache, Nginx), and applications requiring PEM certificates.

Optional: Export Private Key (Not Recommended for Root CA)

Exporting the private key of a Root CA is not recommended for security reasons. However, if you’re working in a lab or test environment:

  1. Use MMC → Certificates (Local Computer).
  2. Navigate to Trusted Root Certification Authorities → Certificates.
  3. Find your Root CA → Right-click → All Tasks → Export.
  4. Choose Yes, export the private key.
  5. Select PFX format and set a password.

Then convert PFX to PEM using OpenSSL:

openssl pkcs12 -in RootCA.pfx -out RootCA.pem -nodes

⚠️ Never export the private key of a production Root CA.