Extract Certificate and Private Key from PFX File

April 20, 2023

The PKCS #12 (Public Key Cryptography Standard #12) is an archive file format for storing many cryptography objects, including a private key with its X.509 certificate.

The Public-Key Cryptography Standards are specifications produced by RSA Laboratories in cooperation with secure systems developers worldwide for the purpose of accelerating the deployment of public-key cryptograph. It was first published in 1991.

The filename extensions for the PKCS #12 are .pfx (Personal Information Exchange) or .p12.

This guide explains how to extract X.509 certificates and private keys from PKCS #12 (.pfx) files using OpenSSL.

The Linux distribution used was Ubuntu 20.04 and the OpenSSL version was 1.1.1, but this guide should work for newer Linux distributions or OpenSSL version.

Prerequisites

Check your OpenSSL version before proceeding:

openssl version

If OpenSSL isn't installed, install it using your package manager:

sudo apt install openssl -y

Extraction Process

1. Extract the Private Key

For OpenSSL 3.0 and newer:

openssl pkcs12 -in certificate.pfx -nocerts -out private-key.pem -noenc

For OpenSSL versions below 3.0:

openssl pkcs12 -in certificate.pfx -nocerts -out private-key.pem -nodes

Command explanation:

-in certificate.pfx: Input PFX file path
-nocerts: Only output private keys
-out private-key.pem: Output file path
-noenc/-nodes: Disable private key encryption

2. Extract the Certificate

openssl pkcs12 -in certificate.pfx -nokeys -out certificate.pem

Command explanation:

-in certificate.pfx: Input PFX file path
-nokeys: Only output certificates
-out certificate.pem: Output file path

3. Verify the Extracted Files

Check the certificate content:

openssl x509 -in certificate.pem -text -noout

Verify the private key:

openssl rsa -in private-key.pem -check

Additional Notes

The PKCS #12 format (PFX) is designed for storing multiple cryptographic objects together
Common file extensions are .pfx and .p12
Always store private keys securely with appropriate permissions
Back up your PFX file before extraction
Consider encryption for private key storage in production environments

Resources

OpenSSL manual
- https://www.openssl.org/docs/manmaster/man1/openssl.html
OpenSSL pkcs12 manual
- https://www.openssl.org/docs/manmaster/man1/openssl-pkcs12.html
RSA Data Security, Inc. Public-Key Cryptography Standards (PKCS)
- https://web.archive.org/web/20200116104631/https://ftp.gnome.org/mirror/archive/ftp.sunet.se/pub/security/docs/PCA/PKCS/ftp.rsa.com/pkcs-12/pkcs-12v1.pdf
PKCS #12 file on wikipedia
- https://en.wikipedia.org/wiki/PKCS_12
Extracting Certificate and Private Key Files - University of Washington
- https://wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File
Extract Certificate and Private Key - tecadmin.net
- https://tecadmin.net/extract-private-key-and-certificate-files-from-pfx-file/