Certificates2026-05-29

How to Convert PFX to PEM (OpenSSL + Online)

Convert a .pfx/.p12 file to PEM with OpenSSL or in your browser. Split the cert, key, and chain, handle the password, and fix the legacy-algorithm error.

pfxpempkcs12opensslcertificatesconvert

How to Convert PFX to PEM (OpenSSL + Online)

You exported a certificate from Windows or a load balancer and got a .pfx file, but the thing you're configuring — Nginx, Apache, HAProxy, a Node server — wants PEM. Converting PFX to PEM is a routine task, but the details (password handling, splitting the bundle, the legacy-algorithm error) trip people up.

This guide covers both the OpenSSL commands and a browser option, and explains exactly what comes out the other side.

PFX vs PEM: What You're Converting

A PFX file (also called PKCS#12 or .p12) is a single, password-protected binary container that bundles everything: the certificate, its private key, and usually the intermediate chain. It's the standard export format on Windows.

PEM is the opposite: a text format (Base64 wrapped in -----BEGIN...----- headers) where each piece typically lives in its own file. Most Linux/Unix software expects PEM. For the full format landscape, see SSL Certificate Formats Explained.

So "convert PFX to PEM" really means unpack the bundle into its parts: certificate, private key, and chain.

The OpenSSL Commands

You'll be prompted for the PFX import password (set when the file was exported).

Extract the certificate (public cert only):

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out certificate.pem

Extract the private key (still encrypted):

openssl pkcs12 -in cert.pfx -nocerts -out private-key.pem

This asks for the import password, then prompts you to set a new PEM passphrase on the key.

Extract an unencrypted private key (for servers that can't prompt for a passphrase at startup):

openssl pkcs12 -in cert.pfx -nocerts -nodes -out private-key.pem

-nodes means "no DES" — it leaves the key unencrypted. Only do this if the file will be stored securely with tight permissions (chmod 600).

Extract the CA chain (intermediates):

openssl pkcs12 -in cert.pfx -cacerts -nokeys -out chain.pem

Everything in one file:

openssl pkcs12 -in cert.pfx -out all.pem -nodes

The Browser Option (No OpenSSL)

If you don't have OpenSSL handy or you're on Windows without it, use the PFX to PEM Converter. Select the .pfx file, enter its password, and it unpacks the certificate, key, and chain into PEM — entirely in your browser, so the private key never touches a server. The SSL Converter hub handles the other direction (PEM → PFX) and related format conversions.

The Legacy Algorithm Error

With OpenSSL 3.0+, older PFX files (especially those exported from older Windows versions) throw:

Error outputting keys and certificates
... unsupported ... RC2-40-CBC

OpenSSL 3 disabled the legacy encryption algorithms that old PFX files use. Add the -legacy flag to re-enable them for the conversion:

openssl pkcs12 -in cert.pfx -out all.pem -nodes -legacy

This is the single most common PFX-conversion error on modern systems. If a command that "should work" fails with an algorithm complaint, add -legacy.

Verify the Result

Two quick checks confirm the conversion worked:

1. Inspect the certificate. Paste the extracted certificate.pem into the PEM Decoder to confirm it parses and shows the expected subject, issuer, and validity dates. The decoder also confirms you split the blocks correctly (cert vs key vs chain).

2. Confirm the key matches the cert. A classic mistake is extracting a key that doesn't correspond to the certificate. The Certificate Key Matcher compares the modulus of the certificate and private key and tells you instantly whether they pair up — do this before deploying.

Using the Files

A typical Nginx config after conversion:

ssl_certificate     /etc/ssl/fullchain.pem;   # certificate + chain.pem concatenated
ssl_certificate_key /etc/ssl/private-key.pem;

Concatenate certificate.pem and chain.pem (leaf first) into fullchain.pem so the server presents the complete chain — otherwise clients hit the "unable to get local issuer certificate" error.

Quick Reference

  • PFX/PKCS#12 is one password-protected binary bundle; PEM is text, usually split into cert / key / chain.
  • Cert: openssl pkcs12 -in cert.pfx -clcerts -nokeys -out certificate.pem.
  • Unencrypted key: add -nocerts -nodes. Chain: -cacerts -nokeys.
  • OpenSSL 3 + old PFX → add -legacy to fix the unsupported-algorithm error.
  • No OpenSSL? Use the PFX to PEM Converter in your browser.
  • Verify with the PEM Decoder and confirm the pair with the Certificate Key Matcher.

Related Tools

PFX to PEM Converter", slug: "convert-pfx-to-pem" }PEM Decoder", slug: "pem-decoder" }

Related Guides

Certificates

SSL Certificate Formats: PEM, DER, PFX, CER, CRT, P7B

Certificates

What Is a PEM File? Format, Contents, and How to Use One

Certificates

OpenSSL Commands Cheat Sheet: CSR, Certificates, Keys & Debugging

← Back to Blog