Back to Blog

Converting PFX to PEM for Node.JS: A Step-by-Step Guide

I recently had to add SSL encryption to a Node.js application at work. Our client uses Microsoft's IIS web server and already had SSL certificates installed. However, the certificates were in PFX format, But I needed them in PEM format for Node.js. So this article will show you how to convert a PFX certificate to PEM format. We'll also learn how to extract the private key, certificate, and public key from the PFX file. Let's get started!

What is a PFX Certificate?

A PFX certificate is a binary format for storing the server certificate, intermediate certificates, and the private key in one encrypted file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

What is a PEM Certificate?

PEM certificates are Base64 encoded ASCII files that contain the server certificate, intermediate certificates, and the private key in one unencrypted file. PEM files usually have extensions such as .pem, .crt, .cer, and .key. PEM files are typically used on Linux machines to import and export certificates and private keys.

Prerequisites

Before we get started, you'll need to have the following installed on your machine:
  • OpenSSL
You can search for OpenSSL on your machine to see if it's already installed. If not, you can download it from the OpenSSL website.

Step 1: Export the PFX Certificate

You can export the PFX certificate from the Windows Certificate Manager. To do this, follow these steps:
  1. Open the Windows Certificate Manager by pressing the Windows key and typing certmgr.msc in the search bar. Then, press Enter.
  2. In the Certificate Manager, expand the Personal folder and select the Certificates folder.
  3. Right-click the certificate you want to export and select All Tasks > Export.
  4. In the Certificate Export Wizard, click Next.
  5. Select Yes, export the private key and click Next.
  6. Select Personal Information Exchange - PKCS #12 (.PFX) and check the box to Include all certificates in the certification path if possible. Then, click Next.
  7. Enter a password to protect the PFX file and click Next.
  8. Enter a file name and click Next.
  9. Click Finish.

Step 2: Extracting the Private Key

The PFX file contains the private key, but it's encrypted. To extract the private key, follow these steps:
for example:
bash
openssl pkcs12 -in mycert.pfx -nocerts -out private.key
Here is a breakdown of the command:
  • openssl pkcs12 - This command allows OpenSSL to manage PKCS#12 files (i.e., PFX files).
  • -in mycert.pfx - This is the name of the PFX file you exported in Step 1.
  • -nocerts - This option tells OpenSSL to only output the private key.
  • -out private.key - This is the name of the file that will contain the private key.
The command will prompt you to enter the password you created in Step 1. After entering the password, the private key will be extracted and saved to the file you specified.
The command will prompt you to enter the password you created in Step 1. After entering the password, the passphrase will be removed from the private key.

Step 3: Extracting the Certificate

Next, we need to extract the certificate from the PFX file. To do this, follow these steps:
bash
openssl pkcs12 -in mycert.pfx -clcerts -nokeys -out certificate.crt
Here is a breakdown of the command:
  • openssl pkcs12 - This command allows OpenSSL to manage PKCS#12 files (i.e., PFX files).
  • -in mycert.pfx - This is the name of the PFX file you exported in Step 1.
  • -clcerts - This option tells OpenSSL to only output the client certificate.
  • -nokeys - This option tells OpenSSL to not output the private key.
  • -out certificate.crt - This is the name of the file that will contain the certificate.
The command will prompt you to enter the password you created in Step 1. After entering the password, the certificate will be extracted and saved to the file you specified.

Step 4: Extracting the Public Key

Now, we need to extract the public key from the certificate. To do this, follow these steps:
bash
openssl x509 -in certificate.crt -pubkey -noout > public-certificate.pem
Here is a breakdown of the command:
  • openssl x509 - This command allows OpenSSL to manage X.509 certificates.
  • -in certificate.crt - This is the name of the file containing the certificate.
  • -pubkey - This option tells OpenSSL to output the public key.
  • -noout - This option tells OpenSSL to not output the certificate.
  • > public-certificate.pem - This is the name of the file that will contain the public key.
The command will prompt you to enter the password you created in Step 1. After entering the password, the public key will be extracted and saved to the file you specified.

Step 5: Finalizing the Private Key

Finally, we need to finalize the private key. To do this, follow these steps:
bash
openssl rsa -in private.key -out private.key
Here is a breakdown of the command:
  • openssl rsa - This command allows OpenSSL to manage RSA keys.
  • -in private.key - This is the name of the file containing the private key.
  • -out private.key - This is the name of the file that will contain the private key.
Now, you have successfully converted the PFX file to PEM format, with the private key stored in private-key.pem and the public key in public-certificate.pem.

Conclusion

In this article, we learned how to convert a PFX certificate to PEM format. We also learned how to extract the private key, certificate, and public key from the PFX file. Finally, we learned how to finalize the private key.

References