Using a .pfx to install an SSL certificate

Got a .pfx file and need to install an SSL certificate with this? Here’s how I did it. You’ll need to extract the signed public certificate (public key) and the private key without passphrase.

cd /etc/nginx/
mkdir ssl
cd ssl
mv /path/to/pfx/file.pfx .
chmod 400 file.fpx

First extract the public certificate. You might be asked for a password.

openssl pkcs12 -in ./file.pfx -clcerts -nokeys -out public.crt

And extract the private key:

openssl pkcs12 -in ./file.pfx -nocerts -nodes -out private.rsa

Now you can test the server on an arbitrary port, using openssl:

openssl s_server -www -accept 443 -cert ./public.crt -key ./private.rsa

Make sure no one can read the files other than you:

chmod 400 /etc/nginx/ssl/*

With NginX it is now easy to fire up the server. I used a proxy for this, because from an architecture perspective, this is the easiest:

server {

    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/public.crt;
    ssl_certificate_key /etc/nginx/ssl/private.rsa;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Ssl on;

I pass an additional X-Ssl header to the backend so they know we’re publicly serving through the SSL proxy (e.g. for building absolute URL’s). Once you actually know how to do it, it is easy as pie.

With thanks to Yadab Das and Berk D. Demir

This entry was posted in Linux & BSD and tagged , , . Bookmark the permalink. Trackbacks are closed, but you can post a comment.


  1. Jon
    Posted December 19, 2013 at 16:48 | Permalink

    Thank you, this was very helpful.

    but there is a small typo …

    In the command line, you’ve called the private key file ‘private.rsa’

    openssl pkcs12 -in ./file.pfx -nocerts -nodes -out private.rsa openssl s_server -www -accept 443 -cert ./public.crt -key ./private.rsa

    and in the nginx conf you’ve called it ‘private.key’

    ssl_certificate_key /etc/nginx/ssl/private.key;

    • drm
      Posted February 9, 2014 at 10:28 | Permalink

      Thanks, I updated the post 🙂

  2. Posted March 20, 2015 at 23:35 | Permalink


  3. Posted March 20, 2015 at 23:38 | Permalink

    using CA

  4. Posted November 2, 2016 at 18:48 | Permalink

    I found that your “extract public certificates” step omitted the intermediate certificates, which in turn prevented the PEM file from working.

    You can include the intermediate certificates in the output file if you do include the -nodes flag: openssl pkcs12 -in wildcard_intenvdemo_com_140715_export.pfx -out intenvdemo_public.pem -nodes -nokeys

  5. Tom
    Posted December 19, 2016 at 09:44 | Permalink


  6. anand
    Posted February 16, 2017 at 10:22 | Permalink

    thanks so much.

    although when i installed it said it missed intermediate certificate.

  7. Chri.s
    Posted May 22, 2017 at 23:04 | Permalink

    Bro, you mixed up chmod 400 file.fpx with chmod 400 file.pfx 😉

    But thanks!

  8. Giovanni
    Posted July 5, 2018 at 19:08 | Permalink

    Thank you very much. I used this technique to extract valid .crt and .key (I like .key instead of .rsa) files from a .pfx file for use with python/django/apache SSLCertificateFile and SSLCertificateKeyFile configuration.

Post a Comment

Your email is never published nor shared.

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>