Yes, we're now running our Black Friday Sale. All Access and Pro are 33% off until 2nd December, 2025:
Learn through the super-clean Baeldung Pro experience:
>> Membership and Baeldung Pro.
No ads, dark-mode and 6 months free of IntelliJ Idea Ultimate to start with.
Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.
Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.
With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.
Try a 14-Day Free Trial of Orkes Conductor today.
1. Introduction
Certificates play a crucial role in ensuring secure communication on the internet. Two common file formats used in the certificate ecosystem are PFX and PEM. Each format serves specific purposes but comes with its own limitations.
In this tutorial, we’ll explore what PFX and PEM files are, highlight their deficiencies, and explain why we might need to convert one format to the other. We’ll then walk through how to use OpenSSL, a widely-used cryptographic toolkit, to perform this conversion.
By the end, we’ll have a clear understanding of how to handle this process and why it’s essential.
2. Understanding PFX and PEM File Formats
When working with certificates, it’s essential to understand the different formats in which they can be stored and used. PFX and PEM are two of the most common formats. Each serves a specific use case and comes with unique characteristics that influence how and where it’s used.
Let’s break down these formats, their structures, and the challenges associated with each.
2.1. What Is a PFX File?
A PFX (Personal Information Exchange) file, also known as PKCS#12, is a binary file format used to store a bundle of cryptographic objects. It typically contains a certificate, intermediate certificates, and the associated private key — all packaged together and protected by a password.
PFX files are widely used for exporting and importing certificates, particularly in Windows environments. Their all-in-one structure makes them convenient for transferring a certificate with its dependencies. However, this same feature can become a drawback in environments that require separate files for each component.
2.2. What Is a PEM File?
A PEM (Privacy-Enhanced Mail) file is a text-based format that stores certificate data, private keys, or other cryptographic elements. PEM files are encoded in Base64 with a clear text header and footer, such as:
-----BEGIN CERTIFICATE-----
[Base64-encoded content]
-----END CERTIFICATE-----
Unlike PFX files, we often split PEM files into separate files for certificates and private keys.. This separation makes PEM the preferred format in Unix/Linux environments and many web servers, like Apache and NGINX.
2.3. Deficiencies of Each Format
While convenient, the single-file structure of PFX can make it less flexible for configurations that require separate certificate and key files. On the other hand, PEM files are more fragmented, meaning we may need to manage multiple files for a single entity, which can increase complexity.
Converting from PFX to PEM is often necessary to align with the requirements of a specific system or application.
3. How to Convert PFX to PEM Using OpenSSL
OpenSSL is an open-source toolkit for cryptography and secure communication. It’s highly versatile and widely adopted in both development and production environments.
The toolkit supports a broad range of cryptographic operations, including the conversion of certificate file formats. Its command-line utility makes the process of converting PFX to PEM straightforward, even for those of us new to cryptography.
3.1. Installing OpenSSL
Most Linux distributions commonly pre-install OpenSSL. However, we can install it on Debian-based distributions, like Ubuntu and Linux Mint, using apt:
$ sudo apt-get install opensslFor RHEL, CentOS, RockyLinux, Almalinux, and Fedora, we can use yum:
$ sudo yum install opensslOnce installed, we can verify the installation by running the command:
$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)This displays the installed version, confirming that OpenSSL is ready to use.
3.2. Converting the PFX File to a PEM File
Let’s see how to extract the contents of a PFX file and save them as a PEM file:
$ openssl pkcs12 -in file.pfx -out file.pem -nodesLet’s explain the command parameters:
- pkcs12 specifies using the utility for handling PKCS#12 (PFX) files
- -in file.pfx specifies the input PFX file
- -out file.pem specifies the output PEM file
- -nodes (No DES) ensures the private key is not encrypted in the output
When prompted, we need to enter the password for the PFX file.
3.3. Splitting the PEM File (Optional)
If our PEM file contains both the certificate and private key, we can split them into separate files.
First, let’s extract the private key:
$ openssl pkey -in file.pem -out privatekey.pemThen, let’s extract the certificate:
$ openssl x509 -in file.pem -out certificate.pemNow, we’ll have two separate files: one for the certificate and one for the private key.
4. Conclusion
Converting a PFX file to PEM format is a common task, especially when working across different operating systems or servers with specific file format requirements.
In this article, we began by understanding the differences between PFX and PEM formats. PFX files bundle everything together, while PEM separates certificates and private keys, offering greater flexibility for certain configurations.
Then, we explored how to convert a PFX file to PEM format using OpenSSL. Afterwards, we discussed the advantages of using OpenSSL for this conversion and provided a step-by-step guide to extract certificates and private keys from a PFX file.