How to create a PFX file from PEM certificates using OpenSSL

A certificate and private key in separate PEM files cannot be imported directly into Windows certificate stores, IIS, many appliances, and vendor portals that ask for a PFX or PKCS#12 archive. The archive must contain the certificate, the matching key, and the required issuing chain, or the import may succeed while TLS, client authentication, or application startup fails later.

OpenSSL creates the archive with pkcs12 -export. The certificate is read with -in, the private key with -inkey, extra chain certificates with -certfile, and the archive password through -passout. OpenSSL 3.x defaults use AES-256-CBC with PBKDF2 for PKCS#12 export encryption unless compatibility options change that behavior.

Use a protected working directory and a password file from controlled secret storage so the PFX password does not appear in shell history or saved terminal output. Confirm the certificate/key pair before export, inspect the finished archive without dumping its private key, and keep both the source key and the PFX file restricted after the handoff.

Steps to create a PFX file from PEM certificates using OpenSSL:

Stage the certificate, private key, chain file, and PFX password in a private working directory.

$ install -d -m 700 "$HOME/pfx-export"
$ install -m 644 "$HOME/certs/www.example.net.crt.pem" "$HOME/pfx-export/www.example.net.crt.pem"
$ install -m 600 "$HOME/certs/www.example.net.key.pem" "$HOME/pfx-export/www.example.net.key.pem"
$ install -m 644 "$HOME/certs/www.example.net.chain.pem" "$HOME/pfx-export/www.example.net.chain.pem"
$ install -m 600 /run/secrets/pfx-password "$HOME/pfx-export/pfx-password.txt"
$ cd "$HOME/pfx-export"
$ ls -l www.example.net.crt.pem www.example.net.key.pem www.example.net.chain.pem pfx-password.txt
-rw------- 1 deploy deploy   21 Jun  5 20:37 pfx-password.txt
-rw-r--r-- 1 deploy deploy 1245 Jun  5 20:37 www.example.net.chain.pem
-rw-r--r-- 1 deploy deploy 1294 Jun  5 20:37 www.example.net.crt.pem
-rw------- 1 deploy deploy 1708 Jun  5 20:37 www.example.net.key.pem

Replace /run/secrets/pfx-password with the protected source that holds the archive password. Omit -passout file:pfx-password.txt in the export step to let OpenSSL prompt interactively instead.

Check that the certificate is the expected leaf certificate before packaging it.
```
$ openssl x509 -in www.example.net.crt.pem -noout -subject -issuer -enddate
subject=CN=www.example.net, O=Example Web
issuer=CN=Example Issuing CA, O=Example Internal PKI
notAfter=Sep  7 20:37:05 2028 GMT
```
Stop here if the subject, issuer, or expiry date belongs to a different certificate than the system or portal should receive.

Compare the certificate public key with the public key derived from the private key.

$ openssl x509 -in www.example.net.crt.pem -pubkey -noout -out www.example.net.crt.pub.pem
$ openssl pkey -in www.example.net.key.pem -pubout -out www.example.net.key.pub.pem
$ openssl dgst -sha256 www.example.net.crt.pub.pem www.example.net.key.pub.pem
SHA2-256(www.example.net.crt.pub.pem)= 49dd8dc476faa9edaa41b22d576ecc0fc09ceac5ee81aada8e961e5eeeda7e8b
SHA2-256(www.example.net.key.pub.pem)= 49dd8dc476faa9edaa41b22d576ecc0fc09ceac5ee81aada8e961e5eeeda7e8b

Matching digests show that the certificate and private key belong to the same key pair.

Tool: SSL Matcher (Certificate, CSR, and Key)

Verify the certificate against the chain file when the file contains the issuing CA material needed for the check.
```
$ openssl verify -CAfile www.example.net.chain.pem www.example.net.crt.pem
www.example.net.crt.pem: OK
```
If the chain file contains only intermediates, verify against the organization CA bundle or system trust store instead of treating a local openssl verify failure as proof that the certificate is wrong.
Create the PFX archive from the certificate, private key, and chain file.
```
$ openssl pkcs12 -export -out www.example.net.pfx -inkey www.example.net.key.pem -in www.example.net.crt.pem -certfile www.example.net.chain.pem -name "www.example.net" -passout file:pfx-password.txt
```
Omit -certfile www.example.net.chain.pem only when the target system already has the required issuing chain. Use -legacy only for older importers that reject the default OpenSSL 3.x PKCS#12 encryption.

Avoid -twopass unless the target explicitly requires separate integrity and encryption passwords. Many importers expect one archive password.
Restrict the PFX file and confirm that it was written.
```
$ chmod 600 www.example.net.pfx
$ ls -l www.example.net.pfx
-rw------- 1 deploy deploy 3698 Jun  5 20:37 www.example.net.pfx
```
The PFX archive contains the private key. Store it with the same controls used for the original private key.

Inspect the finished archive without printing its certificate or private key material.

$ openssl pkcs12 -in www.example.net.pfx -passin file:pfx-password.txt -info -noout
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

The output should include certificate bags and a shrouded keybag. A password error or missing keybag means the archive is not ready for import.

Extract only the leaf certificate from the archive and confirm that it matches the intended certificate metadata.

$ openssl pkcs12 -in www.example.net.pfx -passin file:pfx-password.txt -clcerts -nokeys -out pfx-leaf.crt.pem
$ openssl x509 -in pfx-leaf.crt.pem -noout -subject -issuer -enddate
subject=CN=www.example.net, O=Example Web
issuer=CN=Example Issuing CA, O=Example Internal PKI
notAfter=Sep  7 20:37:05 2028 GMT

-clcerts -nokeys writes the client or leaf certificate and skips private keys and CA certificates.

Remove the temporary password file and public-key comparison files after the PFX archive has passed inspection.
```
$ rm -f pfx-password.txt www.example.net.crt.pub.pem www.example.net.key.pub.pem pfx-leaf.crt.pem
```
Do not attach the private key, PFX archive, or password file to tickets, chat messages, screenshots, or saved troubleshooting logs.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.