Convert SSL Certificates from PFX to PEM Format

Convert the certificates obtained in PFX format to PEM format for deployment to servers

In this article, we will discuss about converting certificates obtained in PFX format (using a third-party SSL Signing authority or by an ACME client for free Lets Encrypt Certificates) and even Wildcard LE Certificates into format that you can use in your web server for deployment. This process applies both to a fresh acquisition of certificate and even renewal of your SSL certificate.

This PFX file is a combination of private key as well as public certificate.

Some ACME clients do give you certificates in PFX format which can not be easily deployed to servers like Apache and nginx. So, you need to convert them to proper format before they can be used.

The Easy Way

There are various online facilities available using which you can easily convert the PFX format into PEM and CRT files seperately.

One of them is a tool by SSL Shopper (a certificate purchasing website)

SSL Shopper - SSL Converter Tool

To convert the certificates, simply select the Certificate File to Convert and Choolse PFX/PKCS#12 in the type of current certificate.

You'll also need to provide the PFX password, if any is set. Or you can leave it empty if there is no password.

After that, click the Convert Certificate button and the certificate will be sent to SSL Converter server where the certificate will be converted and then back to you in the desired format. Easy!

Another tool is provided by Namecheap (along with other such tools including CSR Generator, SSL Checker etc).

Namecheap SSL Converter

To convert, you will have to choose PKCS#12 to PEM tab and then select the PFX file.

You'll also need to provide the password to PFX file, if any was set. And then you are ready to begin. Just click the Convert button.

Your file will be sent to Namecheap and it will give you back a zip file containing the private PEM key file and public CRT file.

The terminal way

The conversion can also be done using terminal as well. All you would need is OpenSSL installed on the system and the files that you need to convert.

Simply enter the following commands into terminal to convert the PFX key into PEM format (containing both the private key and public certificate):

openssl pkcs12 -in signed.pfx -out signed.pem -nodes

And you will have your file converted to PEM format. But as this file contains, both the private key and public certificate in single file, you may not be able to use it as is.

To convert the PFX file into two files - separate private and public key by extracting, you can follow the following commands:

openssl pkcs12 -in signed.pfx -nocerts -out private.pem

Now, you need to extract the public certificate for this PFX key:

openssl pkcs12 -in signed.pfx -clcerts -nokeys -out public

Now, you have both your private key as well as public key extracted from PFX file and ready for deployment.

However, if you are still unable to use this file in server (or you need extra steps to enable it being used), you may use the following command to remove the password from this pem file:

openssl rsa -in private.pem -out server.key