OpenSSL - Installing or Renewing SSL Certs with a .pfx file

If you have a .pfx file, you'll need:

  • A password corresponding to the .pfx file
  • openssl command

Use openssl commands to extract the following four files from the PFX:

CA Chain / Intermediate SSL Cert (ca_intermed_chain.pem)

#Get CA/Intermediate Certificate Only

openssl pkcs12 -in fullchain.pfx -nokeys -cacerts -out ca_intermed_chain.pem


Client Cert / Root cert (client_cert.pem)

#Get Client Certificate Only

openssl pkcs12 -in fullchain.pfx -nokeys -clcerts -out cert.pem


Private Key (privkey.pem)

# Get Private Key

openssl pkcs12 -in fullchain.pfx -nocerts -nodes -out privkey.pem



Full chain (fullchain.pem)

# Get Certificates (Full Chain)

openssl pkcs12 -in fullchain.pfx -nokeys -out fullchain.pem #


After obtaining these files:

Verify the intermediate SSL certificate:

$ openssl verify -CAfile ca_intermed_chain.pem client_cert.pem

client_cert.pem: OK


Check the date of the new root cert:

$ cat client_cert.pem | openssl x509 -noout -dates

notBefore=Jan 27 15:05:30 2022 GMT
notAfter=Jan 19 14:22:25 2023 GMT