In this tutorial I will show you how to extract SSL certificate and key from PFX file and also how to remove a password from a private SSL key.
If you have landed on this tutorial and do not have PFX certificate file please visit: Migrate (move) SSL certificate from Windows to Linux.
The certificate extraction can be done with a tool called Open SSL that you may install from the Linux server repository, or take the source from here: OpenSSL. Also you can use the Windows version: OpenSSL for Windows.
Once you have it installed go to the folder where the PFX certificate is located and execute the following commands:
openssl pkcs12 -in win_cert.pfx -nocerts -out key.pem
# To export the certificate from the pfx file:
openssl pkcs12 -in win_cert.pfx -clcerts -nokeys -out cert.pem
# And now remove the key password:
openssl rsa -in key.pem -out key_with_no_pw.key
Probably from the comments, you guessed already what line what is doing, but I will explain these lines briefly:
The first line will export the private key from the windows certificate and since PFX key is always exported with a password, you will be prompted to enter one. So you must have it.
The second line will export certificate from the PFX file.
Again, you will need the PFX file password in order to remove it. In fact you can use the certificate with Apache server, but whenever it is restarted you will be prompted for a passphrase. If you choose this case, forget for automated Apache restarts and take in mind that you have to enter the pass after server restart. Like this one:
Starting web server (apache2)…[Mon Apr 22 23:03:45 2010] [warn] module ssl_module is already loaded, skipping
Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server 127.0.0.1:443 (RSA)
Enter pass phrase:*******
OK: Pass Phrase Dialog successful.
My advice is to remove the password from the SSL key. If someone manage to access it on the server, this will be you’re the least of your problems.
Well, that is it. Now you can rename the key and the certificate as per your needs and to use them.
I have another tutorial related to the matter is: Renew Windows SSL certificate when no key available.
Also if you are looking for tutorial how to Extract certificates from P7B (PKCS #7) just click on the link.
- pfx file (381)
- pfx to key (253)
- extract private key from pfx (117)
- extract certificate from pfx (80)
- extract key from pfx (71)
- export private key from pfx (56)
- extract pfx (55)
- pfx key (55)
- extract cert from pfx (48)
- how to extract certificate from pfx (37)
- export key from pfx (31)
- how to extract private key from pfx (30)
- pfx password (24)
- key pfx (21)
- yhs-fullyhosted_003 (21)
- pfx extract private key (20)
- extract pfx file (19)
- remove password from pfx (19)
- how to extract pfx files (17)
- extract cer from pfx (15)
Filed Under: SSL
About the Author: Anthony G. is an IT specialist with more than 9 years of solid working experience in the Web Hosting industry. Currently works as server support administrator, involved in consultative discussions about Web Hosting and server administration. One of the first writers in the Onlinehowto.net website, now writing for Free Tutorials community - he is publishing tutorials and articles for the wide public, as well as specific technical solutions.