Extract SSL certificate and key from PFX file

In this tutorial I will show you how to extract SSL certificate and key from PFX file and also how to remove a password from a private SSL key.
If you have landed on this tutorial and do not have PFX certificate file please visit: Migrate (move) SSL certificate from Windows to Linux.

The certificate extraction can be done with a tool called Open SSL that you may install from the Linux server repository, or take the source from here: OpenSSL. Also you can use the Windows version: OpenSSL for Windows.

Once you have it installed go to the folder where the PFX certificate is located and execute the following commands:

# To export the private key from the pfx file:
  1. openssl pkcs12 -in win_cert.pfx -nocerts -out key.pem
  2.  
  3. # To export the certificate from the pfx file:
  4. openssl pkcs12 -in win_cert.pfx -clcerts -nokeys -out cert.pem
  5.  
  6. # And now remove the key password:
  7. openssl rsa -in key.pem -out key_with_no_pw.key

 

Probably from the comments, you guessed already what line what is doing, but I will explain these lines briefly:

The first line will export the private key from the windows certificate and since PFX key is always exported with a password, you will be prompted to enter one. So you must have it.

The second line will export certificate from the PFX file.

Again, you will need the PFX file password in order to remove it. In fact you can use the certificate with Apache server, but whenever it is restarted you will be prompted for a passphrase. If you choose this case, forget for automated Apache restarts and take in mind that you have to enter the pass after server restart. Like this one:

/etc/init.d/apache2 start
  1. Starting web server (apache2)[Mon Apr 22 23:03:45 2010] [warn] module ssl_module is already loaded, skipping
  2. Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
  3. Some of your private key files are encrypted for security reasons.
  4. In order to read them you have to provide the pass phrases.
  5.  
  6. Server 127.0.0.1:443 (RSA)
  7. Enter pass phrase:*******
  8.  
  9. OK: Pass Phrase Dialog successful.

 

My advice is to remove the password from the SSL key. If someone manage to access it on the server, this will be you’re the least of your problems.

Well, that is it. Now you can rename the key and the certificate as per your needs and to use them.

I have another tutorial related to the matter is: Renew Windows SSL certificate when no key available.
 
Also if you are looking for tutorial how to Extract certificates from P7B (PKCS #7) just click on the link.

Tags

Filed Under: SSL

Anthony Gee About the Author: Anthony G. is an IT specialist with more than 9 years of solid working experience in the Web Hosting industry. Currently works as server support administrator, involved in consultative discussions about Web Hosting and server administration. One of the first writers in the Onlinehowto.net website, now writing for Free Tutorials community - he is publishing tutorials and articles for the wide public, as well as specific technical solutions.

Comments (6)

  1. richard murdoch says:

    Hi how I can generate SSL CSR and Key with OpenSSL?

  2. Tonny says:

    Hi Richard,

    Here is the command line I am often using:

    openssl genrsa -rand source_file1:source_file2 -out http://www.your_domain.com.key 2048

    These source files should be a big files locate somewhere on your system.

    For example if you have big mail traffic, you can use:

    /var/log/maillog.25.gz:/var/log/maillog.26.gz

    Another thing is that if you do not trust the server to add “-des3″ option. This will ask and add password which will protect the key.
    So the final string will look like this:

    openssl genrsa -des3 -rand /var/log/maillog.25.gz:/var/log/maillog.26.gz -out http://www.your_domain.com.key

    One note here: (I wrote that in the tutorial above)- if you decide to use the “-des3″ option, and leave your key with password, on every web server (Apache for example) will ask for the key password, and you should forget for automated webserver restarts.

  3. Tony says:

    I had few inquires about this tut to put CSR generation string. So here it is:

    openssl req -new -key key.file -out csr.file

  4. Greg says:

    So I went ahead and installed OpenSSL for Windows. I’ve exported a .pfx file with my certificate and key. You said, “Once you have it installed go to the folder where the PFX certificate is located and execute the following commands:”. How exactly do I execute those commands? I tried using the CMD prompt and got an error that said, “openssl is not reconized as an internal or external command, operable program or batch file”.

    Now what? There is no “application” with OpenSSL for Windows. How do I execute that command?

    • Anthony Gee Anthony Gee says:

      The application is located probably in Program Files\OpenSSL folder.
      To run the OpenSSL command go to CMD (command line) go to the OpenSSL for example
      cd \program files\openssl
      - and there you will be able to execute the commands as described

  5. http://www.google.com says:

    Others think the habit is more likely connected too their checking the ground for the scent oof its enemies,
    since the dog has its nose to the ground during the turning around.

    There is a department on Free and Low cost Helpp which can’t allow specific
    referrals, but which points you in the right direction.
    I pput a small amount of water in a plastic cup and quietly stoiod in front of my
    dog, without saying a word.

Leave a Reply