PFX to PEM Extractor

Open a password-protected .pfx/.p12 file in your browser and split it into certificate, chain and private-key PEM blocks. The file and its password stay on your device.

The .pfx file and its password are decoded entirely in your browser and never uploaded — nothing is sent to ArrayKit. Treat the extracted private key as a secret and store it somewhere safe.

Converting SSH keys instead? Try the PPK to PEM Converter.

About PFX to PEM Extractor

This PFX to PEM extractor opens a password-protected .pfx or .p12 (PKCS#12) file and splits it into the separate PEM blocks that most web servers and tools expect: the leaf certificate, any CA/chain certificates, and the private key. Drop the archive in or pick it with the file dialog, type its password, and the tool decodes it right in the page. Each PEM block appears in its own panel that you can copy or download as certificate.pem, private-key.pem, and chain.pem. Use it to move a Windows or IIS certificate bundle into nginx, Apache, HAProxy, or any tool that wants PEM files instead of a single PKCS#12 blob. A wrong password produces a clear error rather than a broken file. The .pfx file and its password stay in your browser and are never uploaded.

Features

How to use the PFX to PEM Extractor

  1. Drop your .pfx or .p12 file onto the box, or click to choose it.
  2. Type the password that protects the PKCS#12 archive.
  3. Click Extract PEM to decode the file in your browser.
  4. Copy each PEM block, or download certificate.pem, private-key.pem, and chain.pem.

Example

Input

server.pfx  (PKCS#12, password: ••••••)

Output

certificate.pem
-----BEGIN CERTIFICATE-----
MIID… (leaf certificate)
-----END CERTIFICATE-----

private-key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIE… (private key)
-----END RSA PRIVATE KEY-----

chain.pem
-----BEGIN CERTIFICATE-----
MIID… (intermediate CA)
-----END CERTIFICATE-----

A single .pfx bundle split into leaf certificate, private key, and CA chain PEM files.

Common errors & troubleshooting

Frequently asked questions

What is a PFX / P12 file?
A .pfx or .p12 file is a PKCS#12 archive: a single password-protected bundle that packs a certificate, its CA/chain certificates, and the matching private key together. Windows, IIS, and many code-signing tools export in this format, while nginx, Apache, and most Linux tools want the pieces as separate PEM files.
How do I convert a PFX to PEM?
Drop the .pfx onto this tool, enter its password, and click Extract PEM. It splits the archive into a leaf certificate, the CA chain, and the private key, each shown in its own copyable panel with a download button for certificate.pem, private-key.pem, and chain.pem.
Is my private key uploaded to a server?
No. The .pfx file and its password are read and decoded entirely in your browser, on your device. Nothing about the file or its contents is sent to ArrayKit or anywhere else.
Why do I need the password?
A PKCS#12 archive is encrypted, and the private key inside is protected by the password set when the file was created. Without the correct password the archive can't be decrypted, so the certificate and key can't be extracted.
What's the difference between the certificate, chain, and private key?
The leaf certificate identifies your domain or identity, the CA chain is the intermediate certificates that link it back to a trusted root, and the private key is the secret half of the keypair. Web servers usually need the leaf and key, and often the chain too.
Does it support both .pfx and .p12 extensions?
Yes. Both are the same PKCS#12 format — .pfx is common on Windows and .p12 elsewhere. The extractor reads either extension and any valid PKCS#12 archive regardless of what it's named.

Related tools

All ArrayKit tools