Extracting Certificate and Private Key Files from a .pfx File

Purpose

There may be scenarios when a certificate file and private key file are required, but only a single .pfx file is available.  A Microsoft based Windows platform doesn’t provide a way to complete this process.

It is still possible to obtain the required files.  By exporting the certificate from the Windows Certificate Store using the Windows MMC into a single .pfx file, separate certificate and private key files can be created from this .pfx file.  Below is the process beginning once the .pfx file has been obtained.

Procedure

  • The first step is to copy the exported file (e.g. certname.pfx)  to a system where OpenSSL is installed.
    NOTE: *.pfx files are in PKCS#12 format and include both the certificate and the private key.
  • The following command will export the private key:
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

 

  • The next command will export the certificate:
openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

 

  • Finally, the last command will remove the passphrase from the private key: (if needed)
openssl rsa -in key.pem -out server.key

Known Issues / Troubleshooting

This section is for the issues that have well defined and tested solutions.

Problem: |

Solution: |

Problem: |

Solution: |

References

Open SSL pkcs#12 Commands