Converting Existing PFX SSL Certificate to PEM SSL Certificate

Sometimes you will have an existing PFX file that you want to convert to PEM format. Usually this is due to specific server requirements.

To convert PFX to PEM:

  1.  To find the password used when the PFX was exported, use the following commands:

    Linux

    $ openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

    $ openssl pkcs12 -in [yourfile.pfx] -nocerts -nodes -out [keyfile-encrypted.key] # use this command if the first command generates empty certificate.

    Windows

    C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

    C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -nocerts -nodes -out [keyfile-encrypted.key] # use this command if the first command generates empty certificate.

     

  2. Convert encrypted key to unencrypted key:

    Linux

    $ openssl rsa -in [keyfile-encrypted.key] -out server.key

    Windows

    C:\xampp\apache\bin\openssl rsa -in [keyfile-encrypted.key] -out server.key

     

  3. Extract the server certificate and convert to PEM format:

    Linux

    $ openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out server.crt

    Windows

    C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out server.crt

     

  4. Extract the server certificate chain:

    Linux

    $ openssl pkcs12 -in [certificate.pfx] -cacerts -nokeys -out [server-ca.crt]

    Windows

    C:\xampp\apache\bin\openssl pkcs12 -in [certificate.pfx] -cacerts -nokeys -out [server-ca.crt]


  5. (optional) In case your file is in p7b format, extract the server certificate and convert to PEM format

    Linux

    $ openssl pkcs7 -print_certs -in [yourfile.p7b] -out server.crt

    Windows

    C:\xampp\apache\bin\openssl pkcs7 -print_certs -in [yourfile.p7b] -out server.crt

Now you can use the server.crt, server-ca.crt and server.key files appropriately.