Pfx is mostly known in Windows environments as a certificate archive format. It’s a binary encapsulating the public certificate, private key, and intermediate certificates. Its most general name is PKCS12 format.
Most of the time the pfx files are protected with a password. So you need to know the password of the pfx file if you want to operate on it.
Sometimes I need plain text certificates and/or the private keys. In order to extract these from the pfx file, the OpenSSL tool can be used.
The following steps show how to get a public certificate and plain text private key out of the certificate pfx.
STEP 1: Exporting certificate file (public.crt):
OpenSSL> pkcs12 -in input.pfx -clcerts -nokeys -out public.crt
You should enter the password of the pfx file in order to export the public certificate (public.crt).
STEP 2: Exporting encrypted certificate key (private.key):
OpenSSL> pkcs12 -in input.pfx -nocerts -out private.key
You should first enter the password of the pfx file to start export operation and then provide a new password to secure the private.key file.
STEP 3: Generating PEM certificate key (private-pem.key):
OpenSSL> rsa -in private.key -outform PEM -out private-pem.key
You should enter the password of the private.key file in order to generate the private-pem.key file.
Or, One Step Command for Extracting Data:
OpenSSL> pkcs12 -in input.pfx -out fields.txt -nodes
You should enter the password of the pfx file. The resulting fields.txt includes sections for the private key (beginning with “ — -BEGIN PRIVATE KEY —”) and public certificate (beginning with “ — BEGIN CERTIFICATE — ”). You can copy and paste these sections into two different files with .key and .crt extensions.
Hope it helps!