Extracting PEM and Private Key from PFX SSL Certificate

PKCS#12 archives (commonly known as .pfx files) usually contain both a certificate and its private key, sometimes with password protection. In order to use these with a server like nginx or Apache, we need to extract these objects and convert them using openssl.

(The commands below assume your file is named certificate.pfx.)

Extracting the private key

openssl pkcs12 -in certificate.pfx -out private.key -nocerts -nodes

Extracting the PEM certificate

openssl pkcs12 -in certificate.pfx -out cert.pem -clcerts -nokeys

Extracting intermediate certificates

openssl pkcs12 -in certificate.pfx -out ca.pem -clcerts -nokeys

Alternatively, you could use a tool like https://whatsmychaincert.com to generate this based on your public certificate.

Enjoy this article?

About Colin O'Dell

Colin O'Dell

Colin O'Dell is a Senior Software Engineer at SeatGeek. In addition to being an active member of the PHP League and maintainer of the league/commonmark project, Colin is also a PHP docs contributor, conference speaker, and author of the PHP 7 Migration Guide.