Setup SSL using .PFX file on nginx/apache2

January 9, 2020
A complete guide to using a PFX certificate on your websites


A pfx file is password protected certificate archive which contains your certificate and the private key.

Certificate extensions can be confusing since there's so many different ones (.crt, .cert, .key, .pem, .csr, etc.). Personally I use the same extensions (.crt and .key) as nginx https documentation.

Get the .key file

Extract the encrypted key using:

openssl pkcs12 -in certfile.pfx -nocerts -out domain.tld.encrypted.key

Decrypt the encrypted key using:

openssl rsa -in domain.tld.encrypted.key -out domain.tld.key

Delete the domain.tld.encrypted.key file since we won't need it.

Get the .crt file

Get your domain certificate using:

openssl pkcs12 -in certfile.pfx -clcerts -nokeys -out domain.tld.crt

Get your CA certificate using:

openssl pkcs12 -in certfile.pfx -cacerts -out bundle.crt

Concat the 2 .crt files into a chained.crt:

cat domain.tld.crt bundle.crt > domain.tld.chained.crt

Delete the bundle.crt and domain.tld.crt files.

Move the certificate

Move the files to the server in the dir /etc/ssl/private/ and make sure to secure the files by setting these permissions:

sudo chmod 600 domain.tld.*
sudo chown root:root domain.tld.*

Webserver conf

Update your webserver configuration for your site and add these to the sites you want HTTPS on.

# nginx
ssl on;
ssl_certificate     /etc/ssl/private/domain.tld.chained.crt;
ssl_certificate_key /etc/ssl/private/domain.tld.key;

# apache2 conf
SSLEngine on
SSLCertificateFile      /etc/ssl/private/domain.tld.chained.crt
SSLCertificateKeyFile   /etc/ssl/private/domain.tld.key

Remember to reload the service, or restart if it's a new site.

Checking your SSL

Test your certificate via and


Key and certificate in one file

You can move the .key into the .crt file, and then point to the same for for the ssl_certificate and ssl_certificate_key. This works for both nginx and apache2. Personally I like to have them seperate, to make it more clear, but I can understand why some would merge them to only have one file.

Renaming the files

I recommend adding the expire year to the certificates, like domain.tld.2020-2022.key. Where 2020-2022 is the valid years, so next time it would be 2022-2024. This will make it very easy to see which sites are using which certificates.

Follow RSS/Atom Feed