Skip to content

Instantly share code, notes, and snippets.

@nodamu

nodamu/openssl_extract_cert_and_key_from_pfx.md

Forked from josefglatz/openssl_extract_cert_and_key_from_pfx.md
Created November 8, 2021 20:07
Show Gist options
  • Save nodamu/24983e4dde142a5105403fb738b00385 to your computer and use it in GitHub Desktop.
Save nodamu/24983e4dde142a5105403fb738b00385 to your computer and use it in GitHub Desktop.
Download ZIP
Cheatsheet: How to extract certificate and private key from a PFX file
Raw
openssl_extract_cert_and_key_from_pfx.md

How to extract certificate and private key from a PFX file

Given PFX file

stern-domain-at.pfx (optionally secured with passphrase)

Openssl needs to be installed

Commands

Export certificate

openssl pkcs12 -in stern-domain-at.pfx -nokeys -out cert.pem

Export private key (passphrase will not be removed)

openssl pkcs12 -in stern-domain-at.pfx -nocerts -out key.pem -nodes

Remove passphrase from the exported private key

openssl rsa -in key.pem -nocerts -out server.key

Final results

  • cert.pem contains a number of certificates (Public, Intermidiate, Root)
  • key.pem contains private key (secured by passphrase)
  • server.key contains the private key without passphrase

Check if your certificate matches the key file

You won't find a modulus if your private key or your certificate is signed with ECC (Elliptic Curve Cryptography)!

Run following commands and compare the output. The modulus is the same if they match.

openssl rsa -noout -modulus -in server.key
openssl x509 -noout -modulus -in cert.pem

Alternative use diff

diff <(openssl rsa -noout -modulus -in server.key) <(openssl x509 -noout -modulus -in cert.pem)

Check if your Certificate Sign Request matches

openssl req -noout -modulus -in yourCertificateSignRequestFile.csr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment