Converting Existing PFX SSL Certificate to PEM SSL Certificate
Sometimes you will have an existing PFX file that you want to convert to PEM format. Usually this is due to specific server requirements.
To convert PFX to PEM:
To find the password used when the PFX was exported, use the following commands:
Linux $ openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
$ openssl pkcs12 -in [yourfile.pfx] -nocerts -nodes -out [keyfile-encrypted.key] # use this command if the first command generates empty certificate.
Windows C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -nocerts -nodes -out [keyfile-encrypted.key] # use this command if the first command generates empty certificate.
Convert encrypted key to unencrypted key:
Linux $ openssl rsa -in [keyfile-encrypted.key] -out server.key
Windows C:\xampp\apache\bin\openssl rsa -in [keyfile-encrypted.key] -out server.key
Extract the server certificate and convert to PEM format:
Linux $ openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out server.crt
Windows C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out server.crt
Extract the server certificate chain:
Linux $ openssl pkcs12 -in [certificate.pfx] -cacerts -nokeys -out [server-ca.crt]
Windows C:\xampp\apache\bin\openssl pkcs12 -in [certificate.pfx] -cacerts -nokeys -out [server-ca.crt]
(optional) In case your file is in p7b format, extract the server certificate and convert to PEM format
Linux $ openssl pkcs7 -print_certs -in [yourfile.p7b] -out server.crt
Windows C:\xampp\apache\bin\openssl pkcs7 -print_certs -in [yourfile.p7b] -out server.crt
Now you can use the server.crt, server-ca.crt and server.key files appropriately.