How to Convert .pfx to .crt/.pem Files

Mert Ilis
2 min readOct 20, 2020

Pfx is mostly known in Windows environments as a certificate archive format. It’s a binary encapsulating the public certificate, private key, and intermediate certificates. Its most general name is PKCS12 format.

Most of the time the pfx files are protected with a password. So you need to know the password of the pfx file if you want to operate on it.

Sometimes I need plain text certificates and/or the private keys. In order to extract these from the pfx file, the OpenSSL tool can be used.

The following steps show how to get a public certificate and plain text private key out of the certificate pfx.

STEP 1: Exporting certificate file (public.crt):

OpenSSL> pkcs12 -in input.pfx -clcerts -nokeys -out public.crt

You should enter the password of the pfx file in order to export the public certificate (public.crt).

STEP 2: Exporting encrypted certificate key (private.key):

OpenSSL> pkcs12 -in input.pfx -nocerts -out private.key

You should first enter the password of the pfx file to start export operation and then provide a new password to secure the private.key file.

STEP 3: Generating PEM certificate key (private-pem.key):

OpenSSL> rsa -in private.key -outform PEM -out private-pem.key

You should enter the password of the private.key file in order to generate the private-pem.key file.

Or, One Step Command for Extracting Data:

OpenSSL> pkcs12 -in input.pfx -out fields.txt -nodes

You should enter the password of the pfx file. The resulting fields.txt includes sections for the private key (beginning with “ — -BEGIN PRIVATE KEY —”) and public certificate (beginning with “ — BEGIN CERTIFICATE — ”). You can copy and paste these sections into two different files with .key and .crt extensions.

Hope it helps!

Mert Ilis

I’m a software development enthusiast who likes trying different web technologies and adding value to his team.