你不需要openssl或makecert或任何。你也不需要CA给你的个人密钥。我几乎可以保证，问题是你希望能够使用CA提供的密钥和cer文件，但它们不是基于“IIS方式”。

SSL证书IIS与PFX一劳永逸- SSL和IIS解释- http://rainabba.blogspot.com/2014/03/ssl-certs-for-iis-with-pfx-once-and-for.html

Use IIS "Server Certificates" UI to "Generate Certificate Request" (the details of this request are out of the scope of this article but those details are critical). This will give you a CSR prepped for IIS. You then give that CSR to your CA and ask for a certificate. Then you take the CER/CRT file they give you, go back to IIS, "Complete Certificate Request" in the same place you generated the request. It may ask for a .CER and you might have a .CRT. They are the same thing. Just change the extension or use the . extension drop-down to select your .CRT. Now provide a proper "friendly name" (*.yourdomain.example, yourdomain.example, foo.yourdomain.example, etc..) THIS IS IMPORTANT! This MUST match what you setup the CSR for and what your CA provided you. If you asked for a wildcard, your CA must have approved and generated a wildcard and you must use the same. If your CSR was generated for foo.yourdomain.example, you MUST provide the same at this step.

需要使用makecert工具。

以管理员身份打开命令提示符，输入以下命令:

makecert -sky exchange -r -n "CN=<CertificateName>" -pe -a sha1 -len 2048 -ss My "<CertificateName>.cer"

其中<CertifcateName> =要创建的证书的名称。

然后，您可以通过键入certmgr打开管理控制台的证书管理器管理单元。在开始菜单中，单击个人>证书>，您的证书应该可用。

这是一篇文章。

https://azure.microsoft.com/documentation/articles/cloud-services-certs-create/

从这个链接:

https://serverfault.com/a/224127/569310 https://stackoverflow.com/a/49784278/7856894 https://stackoverflow.com/a/17284371/7856894

如果需要，可以在OpenSSL中使用这个简单的命令序列来生成filessl。key (SSL证书密钥文件)、filessl. key和filessl. key。SSL证书文件:

openssl genrsa 2048 > filessl.key
chmod 400 filessl.key
openssl req -new -x509 -nodes -sha256 -days 365 -key filessl.key -out filessl.crt

在此之前，您必须响应交互式表单(您可以从其他帖子中找到类似req.cnf的参考信息:https://stackoverflow.com/a/49784278/7856894)

然后，继续执行最后一个命令，它会要求您输入Export Password:

openssl pkcs12 -export -out filessl.pfx -inkey filessl.key -in filessl.crt

准备好了，它生成了.pfx(或. p12)格式的SSL证书文件:

Windows不需要安装OpenSSL的解决方案

我最近试图解决同样的问题——我只有一台windows笔记本电脑，没有安装openssl(也没有足够的管理权限来安装它)。原来windows有一个内置的实用程序，叫做certutil，它能够将。crt和。key文件组合成。pfx。医生来了。

您需要创建一个新文件夹，并将.crt和关键文件放在其中。重命名两个文件，使其具有相同的名称(但扩展名不同):

{{sitename}}.crt
{{siteName}}.key

如果你的密钥文件是一个普通的txt -只是改变扩展名。key。

之后，在该文件夹中打开cmd并运行certutil -mergepfx [INPUTFILE] [OUTPUTFILE]

例子:

证书文件:“mySite.crt”

密钥文件:mySite.key

certutil命令:certutil -mergepfx mySite。crt mySite.pfx

注意:您将被要求为新创建的.pfx文件提供密码-不要忘记记忆/存储它-因为在目标系统上导入证书时将需要它。

这是迄今为止最简单的转换方法。Cer到*。可以文件:

只需从DigiCert下载便携式证书转换器: https://www.digicert.com/util/pfx-certificate-management-utility-import-export-instructions.htm

执行它，选择一个文件，并得到你的*.pfx!!

在大多数情况下，如果您无法将证书导出为PFX(包括私钥)，是因为MMC/IIS无法找到/没有访问私钥(用于生成CSR)的权限。以下是我解决这个问题的步骤:

Run MMC as Admin Generate the CSR using MMC. Follow this instructions to make the certificate exportable. Once you get the certificate from the CA (crt + p7b), import them (Personal\Certificates, and Intermediate Certification Authority\Certificates) IMPORTANT: Right-click your new certificate (Personal\Certificates) All Tasks..Manage Private Key, and assign permissions to your account or Everyone (risky!). You can go back to previous permissions once you have finished. Now, right-click the certificate and select All Tasks..Export, and you should be able to export the certificate including the private key as a PFX file, and you can upload it to Azure!

希望这能有所帮助!