PFX to PEM Extractor
Open a password-protected .pfx/.p12 file in your browser and split it into certificate, chain and private-key PEM blocks. The file and its password stay on your device.
The .pfx file and its password are decoded entirely in your browser and never uploaded — nothing is sent to ArrayKit. Treat the extracted private key as a secret and store it somewhere safe.
Converting SSH keys instead? Try the PPK to PEM Converter.
About PFX to PEM Extractor
This PFX to PEM extractor opens a password-protected .pfx or .p12 (PKCS#12) file and splits it into the separate PEM blocks that most web servers and tools expect: the leaf certificate, any CA/chain certificates, and the private key. Drop the archive in or pick it with the file dialog, type its password, and the tool decodes it right in the page. Each PEM block appears in its own panel that you can copy or download as certificate.pem, private-key.pem, and chain.pem. Use it to move a Windows or IIS certificate bundle into nginx, Apache, HAProxy, or any tool that wants PEM files instead of a single PKCS#12 blob. A wrong password produces a clear error rather than a broken file. The .pfx file and its password stay in your browser and are never uploaded.
Features
- Opens password-protected .pfx and .p12 (PKCS#12) archives
- Splits the bundle into separate certificate, CA chain, and private-key PEM blocks
- Handles both shrouded (pkcs8ShroudedKeyBag) and plain private-key bags
- First certificate is treated as the leaf; the rest become the CA chain
- Copy each PEM block or download it as certificate.pem, private-key.pem, or chain.pem
- Clear "incorrect password or not a valid PKCS#12 file" error on a bad password
- Accepts files via drag-and-drop or the file picker
- Runs entirely in your browser — the file and password never leave your device
How to use the PFX to PEM Extractor
- Drop your .pfx or .p12 file onto the box, or click to choose it.
- Type the password that protects the PKCS#12 archive.
- Click Extract PEM to decode the file in your browser.
- Copy each PEM block, or download certificate.pem, private-key.pem, and chain.pem.
Example
Input
server.pfx (PKCS#12, password: ••••••)
Output
certificate.pem
-----BEGIN CERTIFICATE-----
MIID… (leaf certificate)
-----END CERTIFICATE-----
private-key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIE… (private key)
-----END RSA PRIVATE KEY-----
chain.pem
-----BEGIN CERTIFICATE-----
MIID… (intermediate CA)
-----END CERTIFICATE-----
A single .pfx bundle split into leaf certificate, private key, and CA chain PEM files.
Common errors & troubleshooting
- You see "Incorrect password or not a valid PKCS#12 file". — Retype the exact password used when the .pfx was created (it is case-sensitive), and confirm the file is really a PKCS#12 archive with a .pfx or .p12 extension, not a plain .cer or .pem.
- The private-key panel is empty but the certificate appears. — The .pfx was exported without its private key (certificate-only export). Re-export from the source, choosing the option to include the private key, then try again.
- The CA chain block is missing. — Not every .pfx bundles the intermediate certificates. If your server needs the full chain, export the .pfx with "include all certificates in the path" enabled, or download the intermediates from your CA.
- nginx or Apache rejects the private-key.pem. — Some tools want a specific PEM header. If you get an RSA PRIVATE KEY but need a PKCS#8 BEGIN PRIVATE KEY (or vice versa), convert it with openssl pkey, then point your server at the converted file.
Frequently asked questions
- What is a PFX / P12 file?
- A .pfx or .p12 file is a PKCS#12 archive: a single password-protected bundle that packs a certificate, its CA/chain certificates, and the matching private key together. Windows, IIS, and many code-signing tools export in this format, while nginx, Apache, and most Linux tools want the pieces as separate PEM files.
- How do I convert a PFX to PEM?
- Drop the .pfx onto this tool, enter its password, and click Extract PEM. It splits the archive into a leaf certificate, the CA chain, and the private key, each shown in its own copyable panel with a download button for certificate.pem, private-key.pem, and chain.pem.
- Is my private key uploaded to a server?
- No. The .pfx file and its password are read and decoded entirely in your browser, on your device. Nothing about the file or its contents is sent to ArrayKit or anywhere else.
- Why do I need the password?
- A PKCS#12 archive is encrypted, and the private key inside is protected by the password set when the file was created. Without the correct password the archive can't be decrypted, so the certificate and key can't be extracted.
- What's the difference between the certificate, chain, and private key?
- The leaf certificate identifies your domain or identity, the CA chain is the intermediate certificates that link it back to a trusted root, and the private key is the secret half of the keypair. Web servers usually need the leaf and key, and often the chain too.
- Does it support both .pfx and .p12 extensions?
- Yes. Both are the same PKCS#12 format — .pfx is common on Windows and .p12 elsewhere. The extractor reads either extension and any valid PKCS#12 archive regardless of what it's named.
Related tools
- PPK ↔ PEM Converter — Convert SSH private keys between PuTTY .ppk and OpenSSH/PEM (RSA & Ed25519) — locally in your browser.
- SSH Key Generator — Generate Ed25519, RSA or ECDSA SSH keypairs in your browser and download the public and private keys.
- Certificate & Private Key Matcher — Confirm an X.509 certificate or CSR and a private key belong together (the classic modulus mismatch check) — locally in your browser.
- JWT Decoder — Decode JWT header & payload and inspect exp / iat (no verification).
- Hash Generator — SHA-256 / SHA-1 / SHA-384 / SHA-512 via the Web Crypto API.
All ArrayKit tools