Sometimes you will have an existing PFX file that you want to convert to PEM format. Usually this is due to specific server requirements.

To convert PFX to PEM:

  1.  To find the password used when the PFX was exported, use the following commands:

    Linux

    $ openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

    $ openssl pkcs12 -in [yourfile.pfx] -nocerts -nodes -out [keyfile-encrypted.key] # use this command if the first command generates empty certificate.

    Windows

    C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

    C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -nocerts -nodes -out [keyfile-encrypted.key] # use this command if the first command generates empty certificate.

     

  2. Convert encrypted key to unencrypted key:

    Linux

    $ openssl rsa -in [keyfile-encrypted.key] -out server.key

    Windows

    C:\xampp\apache\bin\openssl rsa -in [keyfile-encrypted.key] -out server.key

     

  3. Extract the server certificate and convert to PEM format:

    Linux

    $ openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out server.crt

    Windows

    C:\xampp\apache\bin\openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out server.crt

     

  4. Extract the server certificate chain:

    Linux

    $ openssl pkcs12 -in [certificate.pfx] -cacerts -nokeys -out [server-ca.crt]

    Windows

    C:\xampp\apache\bin\openssl pkcs12 -in [certificate.pfx] -cacerts -nokeys -out [server-ca.crt]


  5. (optional) In case your file is in p7b format, extract the server certificate and convert to PEM format

    Linux

    $ openssl pkcs7 -print_certs -in [yourfile.p7b] -out server.crt

    Windows

    C:\xampp\apache\bin\openssl pkcs7 -print_certs -in [yourfile.p7b] -out server.crt


Now you can use the server.crt, server-ca.crt and server.key files appropriately.