# How to extract certificate and private key from a PFX file

## Given PFX file

`stern-domain-at.pfx` (optionally secured with passphrase)

**Openssl needs to be installed**

## Commands

Export certificate

```bash
openssl pkcs12 -in stern-domain-at.pfx -nokeys -out cert.pem
```

Export private key (passphrase will not be removed)

```bash
openssl pkcs12 -in stern-domain-at.pfx -nocerts -out key.pem -nodes
```

Remove passphrase from the exported private key

```bash
openssl rsa -in key.pem -nocerts -out server.key
```
---

## Final results

* `cert.pem` contains a number of certificates (Public, Intermidiate, Root)
* `key.pem` contains private key (secured by passphrase)
* `server.key` contains the private key without passphrase

---

## Check if your certificate matches the key file
> You won't find a modulus if your private key or your certificate is signed with ECC (Elliptic Curve Cryptography)!

Run following commands and compare the output. The modulus is the same if they match.
```bash
openssl rsa -noout -modulus -in server.key
openssl x509 -noout -modulus -in cert.pem
```

Alternative use `diff`
```bash
diff <(openssl rsa -noout -modulus -in server.key) <(openssl x509 -noout -modulus -in cert.pem)
```

## Check if your Certificate Sign Request matches

```bash
openssl req -noout -modulus -in yourCertificateSignRequestFile.csr
```