While having your SSL/TLS certificate in a PFX file is great, as most applications support the PFX file, there are still some cases where a PFX file is not supported, and you need the certificate in the PEM format as a CRT file (also called a CER file) with a key file (also called a PEM file).
In this post, I will show you step-by-step how to convert a PFX file into a single file or individual files with and without passwords each method supports the PEM format.
Prerequisites
- OpenSSL binary installed. You can find the OpenSSL binaries on the OpenSSL wiki.
- Exported certificate as a PFX file. If you need to learn how my post on Exporting a Certificate with MMC details all the steps.
- Password for the PFX file.
The Process
- Place your PFX file in a working directory. I will be using
C:\SSLas my working directory. - Open command line. You can use Linux or Windows. The commands are all the same regardless of which OS you are using. I will be using Microsoft Windows with Windows Terminal and PowerShell.
Depending on your needs, you may need to convert your PFX file in several different ways. Here are the methods that I will cover.
- Export Certificate Only
- Export CA Certificates Only
- Export Keys Only without a Password
- Export Keys Only with a Password
- Export Everything as One File without a Password
- Export Everything as One File with a Password
All of the commands below will use the following options.
pkcs12tells OpenSSL that the file it is being fed is a PKCS#12 file. PKCS#12 is another name for a PFX file.intells OpenSSL where the source file is.outtells OpenSSL where to store the converted file.
Export Certificate Only
The command below will only export the certificate. We use the option clcerts to tell OpenSSL only to export the client certificate and the option nokeys to tell OpenSSL not to output any private keys.
- Run the following command to export the client certificate from the PFX file, replace PATH_TO_PFX with the path to your PFX file, and replace PATH_TO_OUTPUT with the location where you want the converted exported certificate saved.
OpenSSL pkcs12 -in PATH_TO_PFX.pfx -clcerts -nokeys -out PATH_TO_OUTPUT.crt
For me, that command will look like OpenSSL pkcs12 -in C:\SSL\wild-ssl-2024.pfx -clcerts -nokeys -out C:\ssl\wild-ssl-2024-cert-only.crt
- Enter the password you set when you created your PFX file.
Export CA Certificates Only
The command below will only export the CA certificates. We use the option cacerts to tell OpenSSL only to export the CA certificates and the option nokeys to tell OpenSSL not to output any private keys.
- Run the following command to export the CA certificates from the PFX file, replace PATH_TO_PFX with the path of your PFX file, and replace PATH_TO_OUTPUT with the location where you want the converted exported CA certificates saved.
OpenSSL pkcs12 -in PATH_TO_PFX.pfx.pfx -cacerts -nokeys -out PATH_TO_OUTPUT.crt
For me, that command will look like OpenSSL pkcs12 -in C:\SSL\wild-ssl-2024.pfx -cacerts -nokeys -out C:\ssl\wild-ssl-2024-ca-cert-only.crt
- Enter the password you set when you created your PFX file.
Export Keys Only without a Password
This one is dangerous as it leaves the private key for your certificate without a password. However, some applications still require this.
The command below will export the private key without encryption, meaning you won’t need a password to use the key file. We will use the option nocerts to tell OpenSSL not to export any certificates and the option noenc to tell OpenSSL not to protect the private keys with a password.
You could use the older nodes option. However, it has been deprecated and replaced by the noenc option.
- Run the following command to export the private key from the PFX file and save it without a password, replace PATH_TO_PFX with the path of your PFX file, and replace PATH_TO_OUTPUT with the location where you want the converted private key saved.
OpenSSL pkcs12 -in PATH_TO_PFX.pfx -nocerts -noenc -out PATH_TO_OUTPUT.key
For me, that command will look like OpenSSL pkcs12 -in C:\SSL\wild-ssl-2024.pfx -nocerts -noenc -out C:\ssl\wild-ssl-2024-keys-only.key
- Enter the password you set when you created your PFX file.
Export Keys Only with a Password
To keep your private key more secure, you can export it with a password, which will also encrypt it. We will do this by omitting the noenc option. We will still use the option nocerts to tell OpenSSL not to export any certificates.
- Run the following command to export the private key from the PFX file and save it with a password, replace PATH_TO_PFX with the path of your PFX file, and replace PATH_TO_OUTPUT with the location where you want the converted private key saved.
OpenSSL pkcs12 -in PATH_TO_PFX.pfx -nocerts -out PATH_TO_OUTPUT.key
For me, that command will look like OpenSSL pkcs12 -in C:\SSL\wild-ssl-2024.pfx -nocerts -out C:\ssl\wild-ssl-2024-keys-only-enc.key
- Enter the password you set when you created your PFX file.
- Enter a password to protect and encrypt your private key.
Export Everything as One File without a Password
Sometimes, you still want to live dangerously and export everything to a single file without a password protecting your private key.
The command below will export everything, including the private key, without encryption. We will use the option noenc to tell OpenSSL not to protect the private keys with a password.
You could use the older nodes option. However, it has been deprecated and replaced by the noenc option.
- Run the following command to export everything from the PFX file and save it without a password, replace PATH_TO_PFX with the path of your PFX file, and replace PATH_TO_OUTPUT with the location where you want the converted file saved.
OpenSSL pkcs12 -in PATH_TO_PFX.pfx -noenc -out PATH_TO_OUTPUT.crt
For me, that command will look like OpenSSL pkcs12 -in C:\SSL\wild-ssl-2024.pfx -noenc -out C:\ssl\wild-ssl-2024-everything.crt
- Enter the password you set when you created your PFX file.
Export Everything as One File with a Password
I like to export everything into a single file and manually pull the items I need from it. The command below will export the client certificate, the CA certificates, and the private key and encrypt the private key with a password.
- Run the command following command to export everything and protect the private key with a password from the PFX file, replace PATH_TO_PFX with the path of your PFX file, and replace PATH_TO_OUTPUT with the location where you want the converted file saved.
OpenSSL pkcs12 -in PATH_TO_PFX.pfx -out PATH_TO_OUTPUT.crt
For me, that command will look like OpenSSL pkcs12 -in C:\SSL\wild-ssl-2024.pfx -out C:\ssl\wild-ssl-2024-everything-enc.crt
- Enter the password you set when you created your PFX file.
- Enter a password to protect and encrypt your private key.
Tip
If the application you are uploading the converted certificate to is very picky you may need to manually edit the file with a text editor and remove the extra attributes (sometimes they show up as Bag Attributes and Key Attributes) before the certificates and private key this is a side effect of converting the certificate.
For a clean certificate you should only have -----BEGIN PRIVATE KEY----- which closes with -----END PRIVATE KEY----- along with the various -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- anything outside of that is just extra and not needed.
That’s all it takes to convert a PFX certificate file to various other formats with and without a password.
If you want to read more about all the options available for OpenSSL, here is the OpenSSL documentation.
