Convert PFX to PEM — Free Online PKCS#12 Converter
Extract certificate and private key from a PFX/P12 file into separate PEM files — 100% in-browser.
Frequently Asked Questions
PFX vs PEM: What's the Difference?
SSL certificates come in two primary encoding formats: PFX (PKCS#12) and PEM. Understanding the difference helps you deploy certificates correctly across different platforms and web servers.
PFX / PKCS#12 is a binary archive format that packages everything together — the end-entity certificate, its matching private key, and optionally the full CA chain — into one password-encrypted file. Windows, IIS, Exchange, and Azure services commonly use PFX. When you export a certificate from Windows Certificate Store or Azure Key Vault, the result is typically a .pfx or .p12 file.
PEM (Privacy Enhanced Mail) is a Base64-encoded text format with ASCII armor headers (-----BEGIN CERTIFICATE-----). Nginx, Apache, HAProxy, and most Linux-based infrastructure expect PEM. Typically, you provide a certificate file (.crt or .pem), a private key file (.key), and optionally a CA bundle separately.
Converting PFX to PEM involves three steps: (1) decrypt the PKCS#12 archive using the password, (2) extract the certificate, (3) extract the private key. This tool performs all three steps using the open-source node-forge library running entirely in your browser — your private key never touches any server.
The equivalent OpenSSL command is:
openssl pkcs12 -in cert.pfx -nocerts -nodes -out key.pem openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem openssl pkcs12 -in cert.pfx -cacerts -nokeys -out chain.pem