Complete Guide: Convert PFX / PKCS#12 to PEM
If you have an SSL certificate in a .pfx or .p12 archive but your web server (like Apache or Nginx) requires separate text-based files, you need to extract them. This process is known as converting PKCS#12 to PEM.
Format Cheat Sheet
PFX/PKCS#12: A binary "container" file. Preferred by Windows, Azure, and Java.
PEM: A Base64 text-based format. Preferred by Linux, Apache, Nginx, and Python.
When do you need to convert PFX to PEM?
Web admins often run into this when migrating SSL certificates across different environments:
- Windows to Linux: Exporting a cert from IIS/Windows and moving it to Nginx.
- AWS Deployment: AWS Certificate Manager (ACM) often requires individual copy-pasting of key and certs.
- Load Balancer Config: Most hardware load balancers and CDNs require PEM inputs.
How to Extract PEM from PFX online
- Select File: Click the upload box above and choose your
.pfxor.p12file. - Enter Password: Most PFX files are encrypted. Type the export password used when creating the file.
- Convert: Hit the Convert button. Our engine will verify the password and decompose the archive.
- Save Results: You will get three distinct blocks: Private Key, Server Certificate, and the CA Chain. You can copy them individually or download them as files.
Using OpenSSL (The Technical Way)
You can also perform this extraction using OpenSSL in your terminal. Here are the common commands:
# 1. Extract the Private Key (unencrypted):
openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
# 2. Extract the Server Certificate:
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem
# 3. Extract the CA Chain (CA Bundle):
openssl pkcs12 -in cert.pfx -cacerts -nokeys -out chain.pem
Common Extraction Issues
Invalid Password Error
The most common failure. PFX passwords are case-sensitive. If you lost the password, the data is unrecoverable.
Empty Chain Certificate
If your PFX was created without "Including all certificates in path", the chain extraction will be empty.