• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » How to extract the private key, public key and CA cert from PFX

How to extract the private key, public key and CA cert from PFX

June 27, 2020 - by Zsolt Agoston - last edited on June 28, 2020

A pfx file is technically a container that contains the private key, public key of an SSL certificate, packed together with the signer CA's certificate all in one in a password protected single file.

Here are the steps to extract these three in case they are needed, for instance importing them in an apache server, in a load balancer, etc.

If you need to pack the aformentioned three, check out the guide here.

1. Export PFX from an existing server

Run mmc.exe, then import the Certificate snapin, choosing the Computer cert repository.

How to extract the private key, public key and CA cert from PFX

Right-click on the cert that you want to export, select "All Tasks", then "Export". Include the private key when it's asked.

How to extract the private key, public key and CA cert from PFX

Export all properties that will include the CA cert in the PFX export. Specify a password witch which you can open the pfx later. The password is needed to protect the private key from unauthorized people as if malicious parties would get a hold on it, they could decrypt intercepted traffic that happens between the server and clients.

How to extract the private key, public key and CA cert from PFX

2. Install OpenSSL

We utilize OpenSSL to extract the packed components into a BASE64 encoded plain text format.

Unix systems have the openssl package available, if you system doesn't have it installed, deploy it as below. On a Windows system follow the path to get the installer:

# Install OpenSSL on Debian and Ubuntu systems
sudo apt install openssl

# Install OpenSSL on RHEL, CentOS
sudo yum install openssl

# Windows installer location:
https://slproweb.com/products/Win32OpenSSL.html

3. Extract the private key, public key and CA certificate

We use the following commands to extract the private key to priv.cer, the public key to pub.cer and the CA's certificate into ca.cer from wild.pfx that has our *.alwayshotcafe.com wildcard SSL. Use the password you specified earlier when exporting the pfx.

# Extract the private key
openssl pkcs12 -in wild.pfx -nocerts -nodes -out priv.cer

# Extract the public key
openssl pkcs12 -in wild.pfx -clcerts -nokeys -out pub.cer

# Extract the CA cert chain
openssl pkcs12 -in wild.pfx -cacerts -nokeys -chain -out ca.cer
How to extract the private key, public key and CA cert from PFX

Reader Interactions

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • 1. Export PFX from an existing server
  • 2. Install OpenSSL
  • 3. Extract the private key, public key and CA certificate

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}