SSL How To | Exporting the Private Key and Certificate from a .pfx file

If you’ve exported an SSL certificate from a Windows PC via the Certificate Manager MMC plugin into a .pfx file, you may end up needing to spilt that file into its constituent parts (e.g; for moving the certificate to a Linux based server or if you’re importing it into Plesk). Thankfully doing this is very easy.

While this tutorial is Windows orientated, all of the commands we’ll be using can be used on any OS (so long as OpenSSL is installed).

TOOLS AND PREP:

First things first, you’ll need to download OpenSSL. I got my copy of OpenSSL for Windows from here.

Once you have OpenSSL installed, open up Command Prompt and head to the bin folder in the directory where OpenSSL was installed

For example:

cd C:\OpenSSL-Win64\bin
EXTRACTING THE PRIVATE KEY FROM THE .PFX FILE

You now need to begin by extracting the Private Key from the .pfx file.

Do this with the following command. You’ll be asked for the password of the .pfx and then for a new password for the .pem.

openssl pkcs12 -in "filelocation.pfx" -nocerts -out "newlocation.pem"

E.g;

openssl pkcs12 -in "C:\Certs\jondotim.pfx" -nocerts -out "C:\Certs\jondotim.pem"

You now need to remove the password from the new .pem file. You can do this with the following command.

openssl rsa -in "filelocation.pem" -out "newlocation.pem"

E.g;

openssl rss -in "C:\Certs\jondotim.pem" -out "C:\Certs\jondotim_decrypted.pem"
EXTRACTING THE CERTIFICATE FROM THE .PFX FILE

Now you need to extract the certificate from the .pfx. Use the following command to do that.

openssl pkcs12 -in "filelocation.pfx" -clcerts -nokeys -out "newfilelocation.crt"

E.g;

openssl pkcs12 -in "C:\Certs\jondotim.pfx" -nokeys -out "C:\Certs\jondotim.crt"

You can view this file in a text editor (e.g; Notepad++).

If all of these steps have completed successfully, you’ll now be able to use your SSL certificate on another platform (e.g; Linux) or with a different web server (e.g; Apache).

Exit mobile version