Converting a PFX Certificate to PEM Format
Many network devices and Linux services require certificates in .pem format, while Windows typically uses .pfx (PKCS#12). A .pfx bundles the certificate, its private key, and any intermediate certificates into one password-protected file; .pem is a Base64 text format that can hold the certificate, the key, or both. Converting between them with OpenSSL is straightforward.
These commands assume OpenSSL is installed. On Windows, open a command prompt in the OpenSSL bin directory and place your .pfx file there:
cd C:\OpenSSL-Win64\bin
On Linux or macOS, OpenSSL is usually already installed — just run the commands from any directory.
Extract the Certificate and Private Key Together
The simplest conversion produces a single PEM file containing both the certificate and the (decrypted) private key. The -nodes flag leaves the key unencrypted:
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
You'll be prompted for the PFX import password.
Extract the Private Key and Certificate Separately
If you need them in separate files — common for web servers like NGINX or Apache:
Private key only:
openssl pkcs12 -in certificate.pfx -nocerts -out privatekey.pem -nodes
Certificate only (no key):
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem
Omit -nodes from the key command if you want the private key to remain encrypted with a passphrase.
Convert PEM Back to PFX
To go the other way and bundle a PEM certificate and key back into a PFX:
openssl pkcs12 -export -out certificate.pfx -inkey privatekey.pem -in certificate.pem -certfile chain.pem
The -certfile parameter is optional and used to include intermediate CA certificates. You'll be asked to set an export password.
Extract Only the Certificate as a .CER
If you only need the public certificate from a PFX (for example to import into a trust store), extract it and optionally convert to DER:
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.cer
Related Certificate Conversions
- Convert CRT to PFX — bundle a certificate and private key into a PFX
- Convert CRT to CER — change certificate encoding (PEM/DER)
Frequently Asked Questions
How do I convert a PFX to PEM with the private key included?
Run openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes. The -nodes flag exports the private key unencrypted into the same PEM file as the certificate. Omit -nodes to keep the key passphrase-protected.
How do I extract just the private key from a PFX?
Use openssl pkcs12 -in certificate.pfx -nocerts -out privatekey.pem -nodes. This writes only the private key to privatekey.pem.
Can I convert PEM back to PFX?
Yes. Use openssl pkcs12 -export -out certificate.pfx -inkey privatekey.pem -in certificate.pem, optionally adding -certfile chain.pem to include intermediate certificates.
What is the difference between PFX and PEM?
A .pfx (PKCS#12) is a single binary, password-protected file containing the certificate, private key, and chain. A .pem is a Base64 text format that can contain the certificate, the key, or both. Use PFX for Windows/IIS and PEM for most Linux services and network appliances.