# Convert SSL PFX for NGINX Usage

NGINX doesn’t natively use a pfx key file (pfx is what Windows IIS needs). So, it must be converted to a private key, removing the public key from it.

#### Folder Creation

Create the folder for storing SSL certificates:

```bash
cd /etc/nginx/
mkdir ssl
cd ssl
chmod 700 /etc/nginx/ssl
```

#### Public Cert

From the pfx file, recover the public certificate:

```bash
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out public.crt
```

<p class="callout info">NOTE: If you see an error, like the following, this means that the pfx was encoded with an old cipher.  
And, you must run the openssl command in legacy mode.  
</p>

[![image.png](https://wiki.galaxydump.com/uploads/images/gallery/2026-05/scaled-1680-/BEto9OSdt6NLHVJ0-image.png)](https://wiki.galaxydump.com/uploads/images/gallery/2026-05/BEto9OSdt6NLHVJ0-image.png)

To work around the above error, add the '-legacy' switch to your statement, like this:

```bash
openssl pkcs12 -legacy -in cert.pfx -clcerts -nokeys -out public.crt
```

#### Private Key

From the pfx file, recover the encrypted private key:

```bash
openssl pkcs12 -in cert.pfx -nocerts -nodes -out private.rsa
```

<p class="callout info">NOTE: Same as before. If you saw an error, when retrieving the public key, you will need to add the '-legacy' switch to the above statement.</p>

Now, decrypt the encrypted private key:

```bash
openssl rsa -in private.rsa -out private.key
```

#### Moving Them

Move the public certificate and private key to the ssl folder, created earlier.

Set permissions on the ssl folder and files, so only root can access the certs and keys:

```bash
chmod 600 -R /etc/nginx/ssl/*
```