PFX to PEM Conversion — Extract Certs & Keys from PKCS#12

PFX (also known as PKCS#12 or P12) is a binary archive format that bundles a certificate, its private key, and optionally the intermediate certificates — all in a single password-protected file. It's the standard exchange format on Windows, but Linux servers and most DevOps tools expect PEM format.

What's Inside a PFX File?

A PFX file is a container that can hold:

End-entity certificate — your server or client certificate
Private key — the corresponding RSA/ECDSA private key
Intermediate certificates — the CA chain needed for verification
Root certificate — sometimes included (but not always needed)

All contents are encrypted with a password using PKCS#12 encryption.

Where PFX Files Come From

You'll encounter PFX files when:

Exporting certificates from Windows/IIS
Receiving certificates for code signing
Setting up S/MIME email encryption
Backing up client certificates for mutual TLS (mTLS)
Migrating certificates between Windows and Linux servers
Importing/exporting from Java keystores (via conversion)

Converting PFX to PEM with OpenSSL

Extract Everything (Certificate + Key + Chain)

openssl pkcs12 -in certificate.pfx -out everything.pem -nodes

-nodes means "no DES" — the private key won't be encrypted in the output
You'll be prompted for the PFX password
The output file contains all certificates and the private key mixed together

Extract Only the Certificate

openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out cert.pem

-clcerts selects only the client (end-entity) certificate
-nokeys excludes the private key

Extract Only the Private Key

openssl pkcs12 -in certificate.pfx -nocerts -nodes -out key.pem

-nocerts excludes all certificates
-nodes outputs the key unencrypted

Security note: Set strict permissions on the key file immediately:

chmod 600 key.pem

Extract Only the CA Chain (Intermediates)

openssl pkcs12 -in certificate.pfx -cacerts -nokeys -chain -out chain.pem

-cacerts selects only CA certificates (not the end-entity)
This gives you the intermediate certificates needed for your server config

Build the Full Chain File for Nginx

For Nginx, you need a file with the end-entity cert followed by intermediates:

# Extract cert and chain separately
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out cert.pem
openssl pkcs12 -in certificate.pfx -cacerts -nokeys -chain -out chain.pem

# Concatenate in the correct order
cat cert.pem chain.pem > fullchain.pem

# Extract the private key
openssl pkcs12 -in certificate.pfx -nocerts -nodes -out key.pem
chmod 600 key.pem

Then in your Nginx config:

ssl_certificate     /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;

Converting PEM Back to PFX

Sometimes you need to go the other direction — create a PFX from PEM files:

# Basic: cert + key
openssl pkcs12 -export -out certificate.pfx \
  -inkey key.pem \
  -in cert.pem

# With intermediate chain
openssl pkcs12 -export -out certificate.pfx \
  -inkey key.pem \
  -in cert.pem \
  -certfile chain.pem

# With a friendly name (visible in Windows cert store)
openssl pkcs12 -export -out certificate.pfx \
  -inkey key.pem \
  -in cert.pem \
  -certfile chain.pem \
  -name "My Server Certificate"

You'll be prompted to set an export password.

Common Pitfalls

1. Incorrect Password

Mac verify error: invalid password?

PFX passwords are case-sensitive. Some PFX files have an empty password (not no password). Try:

# Empty password (press Enter when prompted)
openssl pkcs12 -in cert.pfx -out cert.pem -nodes

# Or specify empty password explicitly
openssl pkcs12 -in cert.pfx -out cert.pem -nodes -passin pass:

2. Legacy PFX Format (OpenSSL 3.x)

OpenSSL 3.x changed the default PKCS#12 algorithms. Older PFX files might fail with:

Error outputting keys and certificates

Fix by enabling legacy support:

openssl pkcs12 -in old.pfx -out cert.pem -nodes -legacy

When creating PFX files for older Windows systems:

openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem \
  -certfile chain.pem -legacy

3. Missing Chain Certificates

If the PFX only contains the end-entity cert and key (no intermediates), you'll need to download the intermediates separately from your CA.

# Check what's in the PFX
openssl pkcs12 -in cert.pfx -nokeys -out certs.pem -nodes
grep -c "BEGIN CERTIFICATE" certs.pem
# 1 = only server cert (missing chain)
# 2+ = chain included

4. Key Doesn't Match Certificate

After extraction, verify the key matches the certificate:

# Compare modulus hashes — they must be identical
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in key.pem | openssl md5

Browser-Based Alternative

If you don't have OpenSSL installed or prefer a visual approach, the PFX Decoder tab in our SSL Certificate Decoder can:

Decode PFX files entirely in your browser (the file never leaves your device)
Display all certificates with full details (subject, issuer, validity, SANs, key usage)
Show the private key (collapsed, with a security warning)
Let you copy the full chain in PEM format

This is especially useful when you need to quickly inspect a PFX file you received and determine what certificates it contains before deploying.

Quick Reference

Task	Command
Extract everything	`openssl pkcs12 -in f.pfx -out all.pem -nodes`
Extract cert only	`openssl pkcs12 -in f.pfx -clcerts -nokeys -out cert.pem`
Extract key only	`openssl pkcs12 -in f.pfx -nocerts -nodes -out key.pem`
Extract CA chain	`openssl pkcs12 -in f.pfx -cacerts -nokeys -out chain.pem`
Create PFX from PEM	`openssl pkcs12 -export -out f.pfx -inkey key.pem -in cert.pem`
Fix legacy PFX	Add `-legacy` flag
Verify key matches cert	Compare `openssl x509 -modulus` vs `openssl rsa -modulus`

Summary

PFX-to-PEM conversion is straightforward once you know the right OpenSSL flags. The key commands are -clcerts, -cacerts, -nocerts, -nokeys, and -nodes. Always verify your extracted key matches the certificate, set strict file permissions on private keys, and remember to build the full chain file for your server configuration.

For a visual alternative, try the PFX Decoder — it runs entirely in your browser, so your PFX file and private key never leave your device.

What's Inside a PFX File?

A PFX file is a container that can hold:

End-entity certificate — your server or client certificate
Private key — the corresponding RSA/ECDSA private key
Intermediate certificates — the CA chain needed for verification
Root certificate — sometimes included (but not always needed)

All contents are encrypted with a password using PKCS#12 encryption.

Where PFX Files Come From

You'll encounter PFX files when:

Exporting certificates from Windows/IIS
Receiving certificates for code signing
Setting up S/MIME email encryption
Backing up client certificates for mutual TLS (mTLS)
Migrating certificates between Windows and Linux servers
Importing/exporting from Java keystores (via conversion)

Converting PFX to PEM with OpenSSL

Extract Everything (Certificate + Key + Chain)

openssl pkcs12 -in certificate.pfx -out everything.pem -nodes

-nodes means "no DES" — the private key won't be encrypted in the output
You'll be prompted for the PFX password
The output file contains all certificates and the private key mixed together

Extract Only the Certificate

openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out cert.pem

-clcerts selects only the client (end-entity) certificate
-nokeys excludes the private key

Extract Only the Private Key

openssl pkcs12 -in certificate.pfx -nocerts -nodes -out key.pem

-nocerts excludes all certificates
-nodes outputs the key unencrypted

Security note: Set strict permissions on the key file immediately:

chmod 600 key.pem

Extract Only the CA Chain (Intermediates)

openssl pkcs12 -in certificate.pfx -cacerts -nokeys -chain -out chain.pem

-cacerts selects only CA certificates (not the end-entity)
This gives you the intermediate certificates needed for your server config

Build the Full Chain File for Nginx

For Nginx, you need a file with the end-entity cert followed by intermediates:

# Extract cert and chain separately
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out cert.pem
openssl pkcs12 -in certificate.pfx -cacerts -nokeys -chain -out chain.pem

# Concatenate in the correct order
cat cert.pem chain.pem > fullchain.pem

# Extract the private key
openssl pkcs12 -in certificate.pfx -nocerts -nodes -out key.pem
chmod 600 key.pem

Then in your Nginx config:

ssl_certificate     /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;

Converting PEM Back to PFX

Sometimes you need to go the other direction — create a PFX from PEM files:

# Basic: cert + key
openssl pkcs12 -export -out certificate.pfx \
  -inkey key.pem \
  -in cert.pem

# With intermediate chain
openssl pkcs12 -export -out certificate.pfx \
  -inkey key.pem \
  -in cert.pem \
  -certfile chain.pem

# With a friendly name (visible in Windows cert store)
openssl pkcs12 -export -out certificate.pfx \
  -inkey key.pem \
  -in cert.pem \
  -certfile chain.pem \
  -name "My Server Certificate"

You'll be prompted to set an export password.

Common Pitfalls

1. Incorrect Password

Mac verify error: invalid password?

PFX passwords are case-sensitive. Some PFX files have an empty password (not no password). Try:

# Empty password (press Enter when prompted)
openssl pkcs12 -in cert.pfx -out cert.pem -nodes

# Or specify empty password explicitly
openssl pkcs12 -in cert.pfx -out cert.pem -nodes -passin pass:

2. Legacy PFX Format (OpenSSL 3.x)

OpenSSL 3.x changed the default PKCS#12 algorithms. Older PFX files might fail with:

Error outputting keys and certificates

Fix by enabling legacy support:

openssl pkcs12 -in old.pfx -out cert.pem -nodes -legacy

When creating PFX files for older Windows systems:

openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem \
  -certfile chain.pem -legacy

3. Missing Chain Certificates

If the PFX only contains the end-entity cert and key (no intermediates), you'll need to download the intermediates separately from your CA.

# Check what's in the PFX
openssl pkcs12 -in cert.pfx -nokeys -out certs.pem -nodes
grep -c "BEGIN CERTIFICATE" certs.pem
# 1 = only server cert (missing chain)
# 2+ = chain included

4. Key Doesn't Match Certificate

After extraction, verify the key matches the certificate:

# Compare modulus hashes — they must be identical
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in key.pem | openssl md5

Browser-Based Alternative

If you don't have OpenSSL installed or prefer a visual approach, the PFX Decoder tab in our SSL Certificate Decoder can:

Decode PFX files entirely in your browser (the file never leaves your device)
Display all certificates with full details (subject, issuer, validity, SANs, key usage)
Show the private key (collapsed, with a security warning)
Let you copy the full chain in PEM format

This is especially useful when you need to quickly inspect a PFX file you received and determine what certificates it contains before deploying.

Quick Reference

Task	Command
Extract everything	`openssl pkcs12 -in f.pfx -out all.pem -nodes`
Extract cert only	`openssl pkcs12 -in f.pfx -clcerts -nokeys -out cert.pem`
Extract key only	`openssl pkcs12 -in f.pfx -nocerts -nodes -out key.pem`
Extract CA chain	`openssl pkcs12 -in f.pfx -cacerts -nokeys -out chain.pem`
Create PFX from PEM	`openssl pkcs12 -export -out f.pfx -inkey key.pem -in cert.pem`
Fix legacy PFX	Add `-legacy` flag
Verify key matches cert	Compare `openssl x509 -modulus` vs `openssl rsa -modulus`

Summary

For a visual alternative, try the PFX Decoder — it runs entirely in your browser, so your PFX file and private key never leave your device.

PFX to PEM Conversion: A Practical Guide

What's Inside a PFX File?

Where PFX Files Come From

Converting PFX to PEM with OpenSSL

Extract Everything (Certificate + Key + Chain)

Extract Only the Certificate

Extract Only the Private Key

Extract Only the CA Chain (Intermediates)

Build the Full Chain File for Nginx

Converting PEM Back to PFX

Common Pitfalls

1. Incorrect Password

2. Legacy PFX Format (OpenSSL 3.x)

3. Missing Chain Certificates

4. Key Doesn't Match Certificate

Browser-Based Alternative

Quick Reference

Summary

Related Resources

What's Inside a PFX File?

Where PFX Files Come From

Converting PFX to PEM with OpenSSL

Extract Everything (Certificate + Key + Chain)

Extract Only the Certificate

Extract Only the Private Key

Extract Only the CA Chain (Intermediates)

Build the Full Chain File for Nginx

Converting PEM Back to PFX

Common Pitfalls

1. Incorrect Password

2. Legacy PFX Format (OpenSSL 3.x)

3. Missing Chain Certificates

4. Key Doesn't Match Certificate

Browser-Based Alternative

Quick Reference

Summary