I would consider this as an extended post to my previous post that I had written six months ago.

A PFX Certificate usually contains the following in PKCS#12 format:

  • The actual certificate.
  • The private key to the certificate.
  • The Intermediate authority certificate that ensures the trustworthiness of the certificate.

To extract all those files, here are the steps that I have documented:


If the .PFX file prompts you for a passphrase, please check with your project manager or client regarding this information.

Extract the Encrypted Private Key

openssl pkcs12 -in <filename.pfx> -nocerts -out encrypted.key

Extract RSA Private Key

openssl rsa -in encrypted.key -out private.key

Extract Certificate

openssl pkcs12 -in <filename.pfx> -clcerts -nokeys -out certificate.crt

Extract Combined Chain Certificate (Optional)

openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > combined_chain_certificate.crt

Once you are done extracting all the required files, you can add the certificates like this:

Apache configuration:

SSLCertificateFile /path/to/certificate.crt
SSLCertificateKeyFile /path/to/private.key

# Optional, if you have it, else skip.
SSLCertificateChainFile /path/to/combined_chain_certificate.crt

Test if it works:

apachectl configtest
systemctl restart httpd

Nginx configuration:

# If you don't have a combined chain certificate:
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private.key;

# If you have a combined chain certificate:
ssl_certificate /path/to/combined_chain_certificate.crt
ssl_certificate_key /path/to/private.key;

Test if it works:

nginx -t
systemctl restart nginx

Hope you found this tip useful.