How to Extract SSL Certificates from a PFX File on macOS
If you’ve ever been handed a .pfx file and told to “just upload the certificate,” you know the pain that’s coming.
PFX (PKCS#12) files bundle your private key, SSL certificate, and any intermediate certificates into one encrypted file. That’s great until you actually need to extract those pieces for something like an NGINX server, AWS load balancer, or third-party CDN that wants them all separately.
MacOS has OpenSSL built in, which is all you need. Here’s a simple shell script I use to generate the cert, private key, and chain in one shot and make them clipboard-ready for easy pasting.
The Script
Save the following as extract-ssl-from-pfx.sh:
#!/bin/bash
# Prompt for PFX file name
read -p "Enter the name of your PFX file (e.g., www.example.com.pfx): " PFX_FILE
# Check if the file exists
if [[ ! -f "$PFX_FILE" ]]; then
echo "File '$PFX_FILE' not found!"
exit 1
fi
# Prompt for PFX password (hidden input)
read -s -p "Enter the password for the PFX file: " PFX_PASSWORD
echo ""
# Prompt for a temporary password for the private key (also hidden)
read -s -p "Enter a temporary password to protect the extracted private key: " PRIVATE_KEY_PASSWORD
echo ""
# Extract the private key (with temporary password)
openssl pkcs12 -in "$PFX_FILE" -nocerts -out private-key.pem -password pass:"$PFX_PASSWORD" -passout pass:"$PRIVATE_KEY_PASSWORD"
# Remove the password from the private key
openssl rsa -in private-key.pem -out private-key.pem -passin pass:"$PRIVATE_KEY_PASSWORD"
# Extract the certificate (leaf certificate)
openssl pkcs12 -in "$PFX_FILE" -clcerts -nokeys -out certificate.pem -password pass:"$PFX_PASSWORD"
# Extract intermediate certificates (if any)
openssl pkcs12 -in "$PFX_FILE" -cacerts -nokeys -out intermediate.pem -password pass:"$PFX_PASSWORD"
# Clean up certificate formatting
awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' certificate.pem > temp.pem && mv temp.pem certificate.pem
awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' intermediate.pem > temp.pem && mv temp.pem intermediate.pem
# Create the certificate chain (intermediate certificates only)
awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' intermediate.pem > certificate-chain.pem
# Display output
echo ""
echo "The following files have been generated:"
echo "- certificate.pem: Leaf certificate"
echo "- private-key.pem: Private key (no password)"
echo "- certificate-chain.pem: Intermediate certs"
echo ""
# Copy to clipboard for convenience
cat certificate.pem | pbcopy
echo "Certificate copied to clipboard. Paste this into the 'Certificate' field."
read -r
cat private-key.pem | pbcopy
echo "Private key copied to clipboard. Paste this into the 'Private Key' field."
read -r
cat certificate-chain.pem | pbcopy
echo "Certificate chain copied to clipboard. Paste this into the 'Certificate Chain' field."Usage
Make it executable:
chmod +x extract-ssl-from-pfx.sh
Then run it:
./extract-ssl-from-pfx.sh
Follow the prompts. You’ll end up with three files and the contents ready to paste one by one wherever you need them.
A Quick Heads-Up
Your private key is sensitive. Please don’t leave it lying around. Store it securely or delete it after use.
This script saves me time every time I deal with certificates. Hopefully, it does the same for you. If you have improvements or tweaks, I’d love to hear them.
How to Fix ‘Converter Failed to Save File’ with Excel 2016
Read Article