Create a .pfx/.p12 Certificate File Using OpenSSL

Create a .pfx/.p12 Certificate File Using OpenSSL

SSL Support Team
June 19, 2015
Other, SSL/TLS
OpenSSL provides a wide variety of SSL/TLS server certificates for HTTPS websites, including:

Basic SSL
High Assurance SSL
Enterprise EV SSL
Wildcard SSL
Multi-Domain (UCC/SAN) SSL


The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key into a single encryptable file. PFX files are usually found with the extensions .pfx and .p12. PFX files are typically used on Windows and macOS machines to import and export certificates and private keys.

PEM (.pem, .crt, .cer) to PFX
PKCS#7/P7B (.p7b, .p7c) to PFX


The original private key used for the certificate
A PEM (.pem, .crt, .cer) or PKCS#7/P7B (.p7b, .p7c) File
OpenSSL (included with Linux/Unix and macOS, and easily installed on Windows with Cygwin)

The commands below demonstrate examples of how to create a .pfx/.p12 file in the command line using OpenSSL:
PEM (.pem, .crt, .cer) to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt

Breaking down the command:

openssl – the command for executing OpenSSL
pkcs12 – the file utility for PKCS#12 files in OpenSSL
-export -out certificate.pfx – export and save the PFX file as certificate.pfx
-inkey privateKey.key – use the private key file privateKey.key as the private key to combine with the certificate.
-in certificate.crt – use certificate.crt as the certificate the private key will be combined with.
-certfile more.crt – This is optional, this is if you have any additional certificates you would like to include in the PFX file.

After entering the command, you will be prompted to enter and verify an export password to protect the PFX file. Remember this password! You will need it when you wish to export the certificates and key.
If you are creating a PFX to install on Azure Web Apps, or another service requiring a PFX file for SSL/TLS installation, it is recommended to include a full chain of trust in your PFX. You can do this by downloading the Apache download link from your account, and including both your website certificate and the file named ca-bundle-client.crt in your PFX file. For example:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile ca-bundle-client.crt

Apache download link
PKCS#7/P7B (.p7b, .p7c) to PFX

P7B files cannot be used to directly create a PFX file. P7B files must be converted to PEM. Once converted to PEM, follow the above steps to create a PFX file from a PEM file.

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

Breaking down the command:

openssl – the command for executing OpenSSL
pkcs7 – the file utility for PKCS#7 files in OpenSSL
-print_certs -in certificate.p7b – prints out any certificates or CRLs contained in the file.
-out certificate.crt – output the file as certificate.crt

Note: You can also use OpenSSL to extract the certificates and private key from a PKCS#12/PFX file.