Personal, Public Key Infrastructure ( PKI ), Tech

PFX (p12) Certificate Conversion

What is a PFX Certificate

PKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It defines a file format commonly used to store X.509 private keys with accompanying public key certificates, protected with a password-based symmetric key PFX Certificate?

In practice .pfx is just another file extension for a PKCS#12 or .p12 type certificate.

Convert PFX to PEM

This command will convert a pfx certificate to a X509 pem encoded certificate. The use of the -nodes flag will give the option to password protect the private key in the new pem encoded certificate. For information on converting pem to der encoded certificates.

Export ALL: Public Certificates, Private Keys, and CA Chain as single certificate

Encrypt private key with a password

openssl pkcs12 -in Certificate.pfx -out NewCertificate.pem

Do not encrypt private key

openssl pkcs12 -in Certificate.pfx -out NewCertificate.pem -nodes

Export Public Certificate from pfx

openssl pkcs12 -in Certificate.pfx -out NewCertificate.pem -nokeys -clcerts

Export Private Key from pfx

openssl pkcs12 -in certificate.pfx -out certificate.key -nocerts -nodes

Export Certificate Authority (CA) Chain from pfx

openssl pkcs12 -in certificate.pfx -out ca-chain.pem -nokeys -cacerts

Convert PFX to JKS ( Java Keystore )

If you do have Keytool application and your PKCS#12 file, launch the one-line command:
keytool -importkeystore -srckeystore source.p12 -srcstoretype pkcs12
-srcalias Alias -destkeystore target.jks -deststoretype jks
-deststorepass password -destalias Alias


One thought on “PFX (p12) Certificate Conversion”

  1. Sonny says:

    Thanks for putting this together, you saved me hours of work. I need to script extraction of private keys from 1000s of files, this helps greatly and doing it manually would have been a deal breaker.

Leave a Reply

Your email address will not be published. Required fields are marked *