generate the microsoft-friendly export containing only the public key: openssl pkcs12 -export -out /www/localhost/htdocs/certs/pop-imap.pfx -in keyfile.pem -nokeys