How to Convert PFX Certificate to PEM File using OpenSSL?

Converting a PFX (PKCS #12) file to PEM (Privacy Enhanced Mail) format is quite simple on Linux and Unix like systems. In this blog post, we will see how to convert a certificate file in PFX format to PEM file using  OpenSSL from the command line.

What is a PFX file?

PFX (also PKCS#12) is a file format that contains certificate(s) and private key(s) encrypted with a password. It usually has .pfx or .p12 file extensions. PFX files are typically used to securely transfer SSL certificates and their private keys from one server to another.

What is a PEM file?

PEM (Privacy Enhanced Mail) is another file format that may contain just the certificate or the certificate with its private key. PEM files usually have extensions such as .pem, .key, .crt, .cer, etc. PEM encoded files are widely used for storing SSL certificates and keys on web servers.

Converting PFX to PEM using OpenSSL

You can use the OpenSSL command line tool to convert a PFX file to PEM format. An open-source toolkit that implements Secure Sockets Layer (SSL) and Transport Layer Security ( TLS ) protocols as well as general-purpose cryptography libraries.

To convert PFX to a PEM file containing a certificate as well as a private key:

openssl pkcs12 -in certname.pfx -out certname.pem -nodes

To convert PFX and get separate PEM files for certificate and key:

# Extract private key 
openssl pkcs12 -in certname.pfx -nocerts -out key.pem 

# Extract certificate
openssl pkcs12 -in certname.pfx -clcerts -nokeys -out cert.pem

You can also remove passphrase from the private key:

openssl rsa -in key.pem -out server.key

And finally, concatenate the key and certificate:

cat key.pem cert.pem > certname-full.pem

This will give you a combined PEM file with a certificate and unlocked private key that can be used on web servers like Nginx/Apache.

See also  New Malware Developed Targeting Apple’s M1 Chip Has Found!

Hope this post helped you in understanding and converting PFX certificates to PEM format on Linux/Unix systems using the OpenSSL command line tool. Let me know if you have any questions!

Leave a Reply

Your email address will not be published. Required fields are marked *