How-to guide

Convert PFX to PEM with OpenSSL on Windows

PFX (also called PKCS#12 or P12) files bundle a certificate and private key together. OpenSSL can split them into separate PEM files, or combine PEM files back into a PFX. Essential for moving certs between Windows IIS, nginx, Apache and Azure.

PFX → PEM

Extract everything from a PFX file

These three commands cover all scenarios. Run in Command Prompt from your certificates folder.

Extract private key (encrypted)

cmd.exe
C:\certs> openssl pkcs12 -in certificate.pfx -nocerts -out private-encrypted.key
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Extract private key (no passphrase — plain text)

cmd.exe
C:\certs> openssl pkcs12 -in certificate.pfx -nocerts -nodes -out private.key
Enter Import Password:
Unencrypted private keys (-nodes) are stored as plain text. Restrict file permissions immediately after creation.

Extract certificate (no key)

cmd.exe
C:\certs> openssl pkcs12 -in certificate.pfx -nokeys -out certificate.pem
Enter Import Password:

Extract everything at once

cmd.exe
C:\certs> openssl pkcs12 -in certificate.pfx -nodes -out everything.pem
Enter Import Password:

The output file contains the private key, certificate and any intermediate CA certs all concatenated. You can split them by finding the -----BEGIN/END----- boundaries.

CA chain

Extract CA certificate chain

cmd.exe
# Extract only CA/intermediate certs (not the server cert):
C:\certs> openssl pkcs12 -in certificate.pfx -nokeys -cacerts -out ca-chain.pem
# Extract only the server/leaf certificate:
C:\certs> openssl pkcs12 -in certificate.pfx -nokeys -clcerts -out server-cert.pem
PEM → PFX

Create a PFX from PEM files

Combine a private key, certificate and optional CA chain into a PFX (useful for IIS, Azure, Windows certificate store):

cmd.exe
# Key + cert only:
C:\certs> openssl pkcs12 -export -inkey private.key -in certificate.pem -out output.pfx
Enter Export Password:
Verifying - Enter Export Password:
# Key + cert + CA chain:
C:\certs> openssl pkcs12 -export -inkey private.key -in certificate.pem -certfile ca-chain.pem -out output.pfx
Other conversions

PEM ↔ DER conversion

cmd.exe
# PEM to DER (binary):
C:\certs> openssl x509 -in certificate.pem -outform DER -out certificate.der
# DER to PEM:
C:\certs> openssl x509 -in certificate.der -inform DER -out certificate.pem
# DER private key to PEM:
C:\certs> openssl rsa -in private.der -inform DER -out private.pem
FAQ

Conversion questions

What is the PFX import password?
It is the password that was set when the PFX file was created or exported. If you received the PFX from a CA or another system, ask the sender for the password. If you created it yourself, it is the export password you entered at creation time.
I get "Mac verify error" when opening the PFX
The import password is wrong, or the PFX file was created with legacy algorithms incompatible with newer OpenSSL. Try adding -legacy flag: openssl pkcs12 -legacy -in certificate.pfx -nokeys -out cert.pem.
What is the difference between PFX, P12 and PKCS#12?
They are all the same format. PFX is the file extension commonly used on Windows. P12 is common on Linux/Mac. PKCS#12 is the official standard name. All three can be opened with the same openssl pkcs12 command.
How do I create a PFX without a password?
Add -passout pass: (empty passphrase) to the export command: openssl pkcs12 -export -inkey key.pem -in cert.pem -out output.pfx -passout pass:. Note that some tools (like IIS) require a non-empty password.

Need to inspect the certificate inside the PFX?

Use openssl x509 commands to check expiry, SANs and issuer.

Check certificate guide →

Related guides

Check certificate →
inspect contents
Generate CSR →
create new cert
Commands cheat sheet →
pkcs12 reference