Extract Certificate and Private Key from PFX File
The PKCS #12 (Public Key Cryptography Standard #12) is an archive file format for storing many cryptography objects, including a private key with its X.509 certificate.
The Public-Key Cryptography Standards are specifications produced by RSA Laboratories in cooperation with secure systems developers worldwide for the purpose of accelerating the deployment of public-key cryptograph. It was first published in 1991.
The filename extensions for the PKCS #12 are .pfx (Personal Information Exchange) or .p12.
This guide explains how to extract X.509 certificates and private keys from PKCS #12 (.pfx) files using OpenSSL.
The Linux distribution used was Ubuntu 20.04 and the OpenSSL version was 1.1.1, but this guide should work for newer Linux distributions or OpenSSL version.
Prerequisites
Check your OpenSSL version before proceeding:
openssl version
If OpenSSL isn't installed, install it using your package manager:
sudo apt install openssl -y
Extraction Process
1. Extract the Private Key
For OpenSSL 3.0 and newer:
openssl pkcs12 -in certificate.pfx -nocerts -out private-key.pem -noenc
For OpenSSL versions below 3.0:
openssl pkcs12 -in certificate.pfx -nocerts -out private-key.pem -nodes
Command explanation:
-in certificate.pfx
: Input PFX file path-nocerts
: Only output private keys-out private-key.pem
: Output file path-noenc/-nodes
: Disable private key encryption
2. Extract the Certificate
openssl pkcs12 -in certificate.pfx -nokeys -out certificate.pem
Command explanation:
-in certificate.pfx
: Input PFX file path-nokeys
: Only output certificates-out certificate.pem
: Output file path
3. Verify the Extracted Files
Check the certificate content:
openssl x509 -in certificate.pem -text -noout
Verify the private key:
openssl rsa -in private-key.pem -check
Additional Notes
- The PKCS #12 format (PFX) is designed for storing multiple cryptographic objects together
- Common file extensions are
.pfx
and.p12
- Always store private keys securely with appropriate permissions
- Back up your PFX file before extraction
- Consider encryption for private key storage in production environments
Resources
- OpenSSL manual
- OpenSSL pkcs12 manual
- RSA Data Security, Inc. Public-Key Cryptography Standards (PKCS)
- PKCS #12 file on wikipedia
- Extracting Certificate and Private Key Files - University of Washington
- Extract Certificate and Private Key - tecadmin.net