by lunarg on November 3rd 2016, at 15:41

An SSL certificate and private key can be stored in many formats. Sometimes, it may be necessary to convert from one format to another. One such case is where you have a private and public key (certificate) in PKCS12 (PFX-file) format, and need the individual certificate and private key in X509 format. You can use OpenSSL to perform the conversion.

A PFX-file generally contains both the private and public key (certificate) and is usually secured with a passphrase. If the PFX-file you want to convert is secured with a password, you will need this in order to perform the conversion. If you do not have the password, there's no way to reset this and the PFX-file will be unusable. When performing the conversion, you will be prompted to enter this passphrase ("import passphrase").

Extract the certificate

openssl pkcs12 -in <my-pfx.pfx> -clcerts -nokeys -out <my-cert.crt>

After entering the "import passphrase", the file will be created. As this is the public certificate, you will not be prompted for a passphrase to secure the exported file.

Extract the private key

openssl pkcs12 -in <my-pfx.pfx> -nocerts -out <encrypted-key.key>

Enter the "import passphrase". If it is correct, you will be prompted to enter a passphrase for the exported private key. Enter a password of your choosing and continue. The file will be created.

If you want to have an unencrypted private key, you can decrypt the exported key:

openssl rsa -in <encrypted-key.key> -out <UNSECURE-key.key>

Note that you will have to take precautions to keep this unencrypted file secure!

Sometimes, you may require the private key in PEM format, rather than in X509 format:

openssl rsa -in <encrypted-key.key> -outform PEM -out <encrypted-key.pem>

As PEM-format is also secure, you will prompted to enter a passphrase to secure the exported file.