When I tried to enable SSL for BitTorrent Sync installed on my new NAS Synology 215j it turned out it requires not pfx but private and public keys separately in base64 encoded form.
Here’s the command to extract certificate itself. It will prompt for existing pfx’s passphrase (password):
openssl pkcs12 -in synology.pfx -clcerts -nokeys -out synology.cer
To extract private key. It will prompt for pfx’s passphrase and for a passphrase to add to the key:
openssl pkcs12 -in synology.pfx -nocerts -out synology.private.key
To remove the passphrase:
openssl rsa -in synology.private.key -out synology.key
Now private key doesn’t contain any.