Convert .pfx to .pem Certificates Using OpenSSL

I’m writing this short reference for myself and for others in my office. We frequently have to work with certificate files for various web based services and applications that we support. OpenSSL is a handy tool to work with these files directly from the command line or Terminal.

Terminal CLI command to convert .pfx to .pem

Use the following in Terminal to convert your .pfx cert to a .pem cert. You will need to authenticate with the passphrase used to generate the .pfx certificate.

openssl pkcs12 -in client_ssl.pfx -out client_ssl.pem -clcerts

In the above command, the client_ssl.pfx is the file and path to the cert ending in .pfx For example if you have the client_ssl.pfx cert on your Desktop(macOS) then you would use ~/Desktop/client_ssl.pfx The client_ssl.pem is the path to where you want it to save the converted .pem certificate. So if I want to save the .pem file created by this command to my Desktop(macOS), then I would use ~/Desktop/client_ssl.pfx

Putting this all together in one command would result in the following:

openssl pkcs12 -in ~/Desktop/client_ssl.pfx -out client_ssl.pem -clcerts

Additional instructions on pfx to pem conversion

You can find additional instructions on using OpenSSL to convert .pfx to .pem in this post on Stack Overflow.

Install and Run OpenSSL on macOS

Probably the easiest way to install and run OpenSSL on macOS is to use homebrew. Homebrew is a popular application that helps to port *nix based applications to macOS. You can install homebrew from the following website:

Once you’ve installed homebrew, open Terminal and type: brew install openssl

Additional macOS Instructions on using OpenSSL from article

Check out this useful article from by @timmykko for additional info on using homebrew to install and use OpenSSL.

Note: Windows 10 and Linux options can be found at the end of this article.

openssl Command Options

OpenSSL man page options commands

The following options are available as listed in the man page for openssl

-export       output PKCS12 file

-chain        add certificate chain

-inkey file   private key if not infile

-certfile f   add all certs in f

-CApath arg   – PEM format directory of CA’s

-CAfile arg   – PEM format file of CA’s

-name “name”  use name as friendly name

-caname “nm”  use nm as CA friendly name (can be used more than once).

-in  infile   input filename

-out outfile  output filename

-noout        don’t output anything, just verify.

-nomacver     don’t verify MAC.

-nocerts      don’t output certificates.

-clcerts      only output client certificates.

-cacerts      only output CA certificates.

-nokeys       don’t output private keys.

-info         give info about PKCS#12 structure.

-des          encrypt private keys with DES

-des3         encrypt private keys with triple DES (default)

-aes128, -aes192, -aes256

              encrypt PEM output with cbc aes

-camellia128, -camellia192, -camellia256

              encrypt PEM output with cbc camellia

-nodes        don’t encrypt private keys

-noiter       don’t use encryption iteration

-nomaciter    don’t use MAC iteration

-maciter      use MAC iteration

-nomac        don’t generate MAC

-twopass      separate MAC, encryption passwords

-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)

-certpbe alg  specify certificate PBE algorithm (default RC2-40)

-keypbe alg   specify private key PBE algorithm (default 3DES)

-macalg alg   digest algorithm used in MAC (default SHA1)

-keyex        set MS key exchange type

-keysig       set MS key signature type

-password p   set import/export password source

-passin p     input file pass phrase source

-passout p    output file pass phrase source

-CSP name     Microsoft CSP name

-LMK          Add local machine keyset attribute to private key

Install OpenSSL on Windows 10

Install and run OpenSSL on Windows 10

Instructions on installing OpenSSL on Windows 10 can be found in the KB from digicert.

OpenSSL Cryptography and SSL/TLS Toolkit

OpenSSL home page to get the installers for Linux

Be sure to check out the OpenSSL homepage for additional info and to obtain Linux installers.