How to Create p12 certificate for plex media server by combining cert.pem and privkey.pem

I have created what I think is a valid PKCS#12 file using the following command:
openssl pkcs12 -export -out certificate.p12 -inkey C:\Tools\OpenSSL\privkey.pem -in C:\Tools\OpenSSL\cert.pem -certfile C:\Tools\OpenSSL\chain.pem

Is there any better way to make PKCS#12 file?
I am not even sure that I am using the proper files.
I was trying to use the tool Portecle but get stuck when it asks for a password for the file privkey.pem.

Thanks for the help.

End result I would like a a PKCS #12 file to add to the following Plex Network configuration....

Custom certificate location - Path to a PKCS #12 file containing a certificate and private key to enable TLS support on a custom domain.
Custom certificate encryption key
Custom certificate domain - Domain name to be published to using your mapped port; must match a name from the custom certificate file.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version): Nginx Proxy Manager


The operating system my web server runs on is (include version): QNAP container station docker

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Nginx Proxy Manager

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

It probably requires a non-blank password/passphrase.
You should be able to make a PKCS#12 file using OpenSSL by simply adding this parameter:

-passin val         Input file pass phrase source

-passin "VeryTempAndUselessPW"

1 Like

Hello @mjfast ,

That is the right way to create it using openssl. Without providing a password in the command, you should receive a dialog asking for the password, if you want to avoid that you can add the password to your command:

-password pass:hereyourplaintextpassword


-passout pass:hereyourplaintextpassword

So you command would look like this:

openssl pkcs12 -export -out certificate.p12 -inkey C:\Tools\OpenSSL\privkey.pem -in C:\Tools\OpenSSL\cert.pem -certfile C:\Tools\OpenSSL\chain.pem -password pass:hereyourplaintextpassword

You could also give a name to the certificate but it is just cosmetic, example:

openssl pkcs12 -export -out certificate.p12 -inkey C:\Tools\OpenSSL\privkey.pem -in C:\Tools\OpenSSL\cert.pem -certfile C:\Tools\OpenSSL\chain.pem -password pass:hereyourplaintextpassword -name hereyouryourdomain

If you want to use a GUI interface, maybe you should use KeyStore Explorer but I think, for your case, openssl is the fast way to create your pkcs12 file.

Keep in mind you should repeat this step every time you renew your certificate so maybe there is something in QNAP and/or your Plex to automate it but I can't advise here because I've never used neither QNAP nor Plex.

Good luck,


Thank you for the additional information. It will not be a huge deal to do this every 3 months.


But it would be a huge deal if you could automate it!
:clap: :fireworks: :confetti_ball: :raised_hands:


Thoughts or ideas on how to automate this process. I am trying to think of the best approach. I might be tricky as the location of the files will potentially change every time they get updated.

\SERVER\Web\nginx\letsencrypt\live\npm-11 is the current location but next time it might be in
\SERVER\Web\nginx\letsencrypt\live\npm-12 or 13 or 15.

I have an Ubuntu 20.04 computer that is always on that might be able to automate this process but it might be over my head to figure out how to do so.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.