Certificate Depot

Guides

Home › Guides › PEM → PFX

Convert PEM to PFX (PKCS#12) with OpenSSL

Bundle your cert and key into a single password-protected PFX file — the format Windows, IIS, and Java expect.

PEM (two files: .crt + .key) is the native format on Linux and most open-source servers. PFX (also called PKCS#12, .pfx, or .p12) bundles both into a single password-protected file — required by IIS, Windows Certificate Store, and Java keystores.

Basic conversion

openssl pkcs12 -export \
  -out certificate.pfx \
  -inkey private-key.pem \
  -in certificate.pem \
  -name "My Certificate"

OpenSSL will prompt for a password. Enter something non-empty — Windows refuses to import PFX files with empty passwords.

Including a CA chain

If your cert has a chain (intermediate CA certs), include them with -certfile:

openssl pkcs12 -export \
  -out certificate.pfx \
  -inkey private-key.pem \
  -in certificate.pem \
  -certfile ca-chain.pem \
  -name "My Certificate"

Scripting (non-interactive)

To avoid the password prompt, pass it via -passout:

openssl pkcs12 -export \
  -out certificate.pfx \
  -inkey private-key.pem \
  -in certificate.pem \
  -password pass:MyPassword123
Security warning: Using pass: puts the password in your shell history and process list. Prefer file:/path/to/passwordfile or env:VARNAME.

Skip the conversion entirely

Our generator can output PFX directly. Pick "PFX" as the output format, enter a password, and get a ready-to-import file.

Reverse: PFX to PEM

Extract the certificate:

openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem

Extract the private key (unencrypted — dev only):

openssl pkcs12 -in certificate.pfx -nocerts -nodes -out private-key.pem

Extract the CA chain only:

openssl pkcs12 -in certificate.pfx -cacerts -nokeys -out ca-chain.pem

Modern vs legacy PKCS#12

OpenSSL 3+ uses modern PKCS#12 encryption (AES-256) by default, which some older Windows versions can't read. If IIS or a legacy Windows tool refuses to import your PFX, regenerate with legacy encryption:

openssl pkcs12 -export -legacy \
  -out certificate.pfx \
  -inkey private-key.pem \
  -in certificate.pem

Troubleshooting

"Error unable to get local issuer certificate"

Your cert is signed by a chain your OpenSSL can't resolve. Use -certfile to supply the chain, or use -CAfile /etc/ssl/certs/ca-certificates.crt.

"Mac verify error"

Wrong password when decrypting a PFX. If you don't know the password, there's no recovery — you'll need the original PEM files.

The PFX imports but is "not associated with a private key"

The private key didn't match the certificate's public key. Check with our PEM decoder — if the public key differs from what your key computes, they're not a matching pair.

Need a self-signed certificate? Use our free generator — browser-compatible SANs, RSA or ECDSA, ZIP or PFX. No signup, no ads, keys never stored.

Further Reading