How To Extract Certificates and Private Key from .PFX file

NetShop ISP
3 min readNov 19, 2024

--

PFX (Personal Information Exchange) is a file format used to store cryptographic information in a single file. One type of information held within a PFX file is SSL Certificate chains along with the Private Key.

In this article we will explain the reasons one may want to extract the certificates from a .PFX file and the exact steps on how to do it using OpenSSL.

Why Extract Certificates from Single .PFX File

Extracting certificates and private keys from a .pfx file can be necessary in various scenarios, particularly when managing SSL/TLS certificates, application deployments, or secure communications.

1. Application Requirements

Some applications or servers require separate files for certificates and private keys instead of a combined .pfx file:

Web Servers
Servers like Apache or Nginx require the private key and certificates to be in PEM format (.key and .crt files).

Load Balancers
Many load balancers such as HAProxy require the certificate chain (.crt) and private key in specific formats.

Mail Servers
Email software like Zimbra often require separate key and certificate files.

2. Compatibility & Migration

A .pfx file (PKCS#12) is mainly used in Windows systems whereas .pem, .crt and .key are using in Linux. For example, in cases when a wildcard SSL certificate is installed on a Windows Server and then a developer wants to install it in Linux, the certificates must be extracted from the .pfx file prior installing them on a Linux environment (web server, proxy, etc).

3. Easy Renewal & Replacement

Extracting the Private Key from a .PFX is useful in cases of SSL renewal, when one needs to quickly issue a renewed certificate, without going through the hassle of CSR generation.

Best Way to Extract Certificates and Private Key from PFX file

OpenSSL is the utility with which we can extract certifcates and private key from a .pfx file.

In Linux systems use the following command to install openssl:

john@localhost:~$ sudo apt install openssl -y

If you are a Windows user, please visit OpenSSL’s Wiki for instructions on how to download and install OpenSSL for Windows.

Case 1: Extract all Certificates and Private Key in Single PEM file

The following command will extract all certificates (end-entity certificate, intermediate, root certificate s) and private key in a single .pem file.

john@localhost:~$ sudo openssl pkcs12 -in yourPFXFile.pfx -out yourExtractedFile.pem -nodes

Case 2: Extract all Certificates and Private Key in Individual Files

In case you want to have each certificate (end-entity, intermediate, root, private key) in separate files, use the following commands:

Extract the private key:

john@localhost:~$ sudo openssl pkcs12 -in yourPFXFile.pfx -nocerts -nodes -out yourExtractedKey.pem

Extract the end-entity certificate:

john@localhost:~$ sudo openssl pkcs12 -in yourPFXFile.pfx -clcerts -nokeys -out yourExtractedEntityCert.pem

Extract the intermediate and root (if any) certificates:

john@localhost:~$ sudo openssl pkcs12 -in yourPFXFile.pfx -cacerts -nokeys -out yourExtractedChain.pem

Congratulations! If you followed the above steps you should have successfully extracted your desired certificates and private key from PFX file.

Source: https://netshop-isp.com.cy/blog/how-to-extract-certificates-and-private-key-from-pfx-file/

--

--

NetShop ISP
NetShop ISP

Written by NetShop ISP

Web Hosting, Servers, Colocation & Data Center Services (www.netshop-isp.com.cy)

No responses yet