How to Convert Domain Certificates (CRT and KEY) into PFX using OpenSSL

Create the Certificate Bundle.


Certificates in the CA Bundle MUST be in the following order.

  1. Intermediate CA Certificate - SectigoRSADomainValidationSecureServerCA.crt
  2. Intermediate CA Certificate - USERTrustRSA-AAACA-xSign.crt
  3. Root CA Certificate - AddTrustExternalCARoot.crt
cat SectigoRSADomainValidationSecureServerCA.crt USERTrustRSA-AAACA-xSign.crt AddTrustExternalCARoot.crt > ca-bundle.crt

You will be also prompted to specify the password for the PFX file. Make sure you remember the password, it will be used when you need to import the PFX to a new server.

Generate .PFX file from the Domain Certificate, CA-Bundle and Private Key.

openssl pkcs12 -export -out zone.pfx -inkey zone.key -in zone.crt -certfile ca-bundle.crt


  1. Create a Self-Signed Certificate for Nginx in 5 Minutes
  2. Establishing Trust to Your Cluster’s CA and Importing Certificates
  3. How to convert certificates into different formats using OpenSSL
Last updated on by Yasitha Bogamuwa