How to Create a PFX Certificate File from a PEM File

Problem

Some certificate authorities (such as Let's Encrypt) only supply certificate in the form of a PEM file, which is not usable by many Windows services.

In the case of Let's Encrypt, the PEM file may not have been generated as a part of a certificate signing request.

How to Convert PEM to PFX

• Install the latest stable Open SSL. The main page is here or you can find good Windows binaries here.
• Copy the PEM file to the OpenSSL binary folder, such as C:\Program Files\OpenSSL-Win64\bin
• Open an administrative command prompt or Powershell window to that folder
• Type in:

.\openssl pkcs12 -export -out result.pfx -inkey mypemfile.pem -in mypemfile.pem

• You will be prompted for a PFX password as part of the process. You must securely store the password with the PFX file to be able to use it.
• Above, the -inkey command is used to input the private key. If you have a separate certificate signing request (CSR) this would likely not be in the .PEM file, but would be in a separate .CRT file:

.\openssl pkcs12 -export -out result.pfx -inkey mycsrkeyfile.crt -in mypemfile.cer

Also see here.

Applies to:

• Windows Server services that require a PFX certificate that includes the private key