What is the main difference between PEM and PFX formats?

PEM is a Base64-encoded text format that stores certificates and keys in separate readable files, while PFX (PKCS#12) is a binary format that bundles the certificate, private key, and certificate chain into a single password-protected file. PEM files can be opened in any text editor; PFX files require specialized tools to view.

Which format should I use for Windows servers?

Windows servers (IIS, Exchange, Windows Server) typically prefer PFX format because it bundles everything into one file that's easy to import through the Windows Certificate Manager. Windows natively supports importing PFX files through the MMC snap-in or PowerShell's Import-PfxCertificate cmdlet.

Which format should I use for Linux/Apache/Nginx?

Linux servers running Apache or Nginx typically use PEM format. Apache uses separate SSLCertificateFile and SSLCertificateKeyFile directives pointing to .crt and .key files. Nginx similarly uses ssl_certificate and ssl_certificate_key directives with PEM-formatted files.

How do I convert PFX to PEM using OpenSSL?

Use these OpenSSL commands: To extract the certificate, run 'openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt'. To extract the private key, run 'openssl pkcs12 -in certificate.pfx -nocerts -out private.key'. You'll be prompted for the PFX password and optionally a new key passphrase.

How do I convert PEM to PFX using OpenSSL?

Run 'openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile ca-chain.crt'. This combines your private key, certificate, and CA chain into a single PFX file. You'll be prompted to create a password for the PFX file.

Can I use the same certificate in both formats?

Yes, the underlying certificate data is identical—only the container format differs. You can freely convert between PEM and PFX without losing any certificate information. The private key, public certificate, and chain certificates remain cryptographically identical after conversion.

PEM vs PFX: Certificate Format Comparison and Conversion Guide

Understanding the difference between PEM and PFX certificate formats is essential for properly deploying SSL/TLS certificates across different platforms. This guide explains each format, when to use them, and how to convert between them.

Quick Comparison: PEM vs PFX

Feature	PEM	PFX (PKCS#12)
Encoding	Base64 text	Binary
File Extensions	.pem, .crt, .cer, .key	.pfx, .p12
Readable	Yes (text editor)	No (binary)
Structure	Separate files	Single bundled file
Password Protected	Key file optional	Always encrypted
Primary Use	Linux, Apache, Nginx	Windows, IIS, Exchange

What is PEM Format?

PEM (Privacy Enhanced Mail) is the most common certificate format on Unix/Linux systems. It uses Base64 encoding wrapped with header and footer lines.

PEM File Structure

-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
... (Base64 encoded data) ...
-----END CERTIFICATE-----

Common PEM File Extensions

.pem - Generic PEM file (certificate or key)
.crt / .cer - Certificate file
.key - Private key file
.csr - Certificate signing request

PEM Advantages

Human-readable in any text editor
Easy to copy/paste
Can concatenate multiple certificates in one file
Native support in Linux/Unix systems
Works directly with Apache, Nginx, and most open-source software

What is PFX/PKCS#12 Format?

PFX (Personal Information Exchange) or PKCS#12 is a binary format that stores the certificate, private key, and certificate chain in a single encrypted file.

PFX Characteristics

Binary format (not human-readable)
Password-protected by default
Contains certificate + private key + chain
Native support in Windows environments
Single file deployment

Common PFX File Extensions

.pfx - Windows convention
.p12 - PKCS#12 standard (functionally identical)

PFX Advantages

Single file contains everything needed
Password protection built-in
Easy import/export in Windows
Simpler backup and transfer
Required by some applications (Azure, IIS)

When to Use PEM Format

Use PEM format for:

Apache web servers - SSLCertificateFile directive
Nginx web servers - ssl_certificate directive
Linux/Unix systems - Native support
Docker containers - Most images expect PEM
AWS Certificate Manager - Import requires PEM
Let's Encrypt - Issues certificates in PEM
Java keystores - Import via keytool (after conversion)

When to Use PFX Format

Use PFX format for:

Windows Server / IIS - Native certificate import
Microsoft Exchange - Certificate configuration
Azure App Services - Custom domain certificates
Microsoft 365 - Custom domain setup
Windows Certificate Store - Import/export
Outlook S/MIME - Email encryption certificates
Code signing - Windows Authenticode

Converting PEM to PFX

Use OpenSSL to combine PEM files into a PFX:

Basic Conversion

openssl pkcs12 -export \
  -out certificate.pfx \
  -inkey private.key \
  -in certificate.crt

Include Certificate Chain

openssl pkcs12 -export \
  -out certificate.pfx \
  -inkey private.key \
  -in certificate.crt \
  -certfile ca-chain.crt

With Friendly Name

openssl pkcs12 -export \
  -out certificate.pfx \
  -inkey private.key \
  -in certificate.crt \
  -certfile ca-chain.crt \
  -name "My Certificate"

You'll be prompted to create a password for the PFX file.

Converting PFX to PEM

Extract individual components from a PFX file:

Extract Certificate Only

openssl pkcs12 -in certificate.pfx \
  -clcerts -nokeys \
  -out certificate.crt

Extract Private Key Only

openssl pkcs12 -in certificate.pfx \
  -nocerts \
  -out private.key

Extract Key Without Password

openssl pkcs12 -in certificate.pfx \
  -nocerts -nodes \
  -out private.key

Extract CA Chain

openssl pkcs12 -in certificate.pfx \
  -cacerts -nokeys \
  -out ca-chain.crt

Extract Everything to Single PEM

openssl pkcs12 -in certificate.pfx \
  -out combined.pem \
  -nodes

Verifying Certificate Contents

View PEM Certificate Details

openssl x509 -in certificate.crt -text -noout

View PFX Certificate Details

openssl pkcs12 -in certificate.pfx -info -nokeys

Verify Certificate Matches Private Key

# Compare these outputs - they should match
openssl x509 -in certificate.crt -noout -modulus | openssl md5
openssl rsa -in private.key -noout -modulus | openssl md5

Platform-Specific Import Instructions

Windows (Certificate Manager)

Double-click the .pfx file
Select Local Machine or Current User
Enter the PFX password
Choose certificate store (Personal, Web Hosting, etc.)
Complete the wizard

Windows (PowerShell)

$password = ConvertTo-SecureString -String "your-password" -AsPlainText -Force
Import-PfxCertificate -FilePath "certificate.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $password

Apache

SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/private.key
SSLCertificateChainFile /etc/ssl/certs/ca-chain.crt

Nginx

ssl_certificate /etc/ssl/certs/certificate.crt;
ssl_certificate_key /etc/ssl/private/private.key;

Common Issues and Solutions

"Unable to load private key"

The private key may be encrypted. Use -nodes flag or decrypt first:

openssl rsa -in encrypted.key -out decrypted.key

"Mac verify error"

Wrong password for PFX file. Verify the password is correct.

"No certificate matches private key"

The certificate and key don't form a pair. Use the modulus comparison above to verify.

PFX won't import in Windows

Check if the PFX was created with legacy algorithms. Try:

openssl pkcs12 -export -legacy -out certificate.pfx -inkey private.key -in certificate.crt

Best Practices

Always password-protect PFX files - Never export without a password
Store private keys securely - Restrict file permissions (chmod 600)
Keep backups in PFX format - Single file is easier to backup
Use PEM for automation - Easier to script and manage
Verify after conversion - Always test the converted certificate works
Document the password - Store PFX passwords securely (password manager)

Summary

Choose PEM for Linux/Unix environments, Apache/Nginx servers, and when you need human-readable files or separate key/cert management.

Choose PFX for Windows environments, IIS, Exchange, Azure services, or when you need a single portable file with built-in password protection.

Both formats contain the same cryptographic data—only the container differs. Convert freely between them based on your deployment target.