Extract SSL certificate and key from PFX file

In this tutorial I will show you how to extract SSL certificate and key from PFX file and also how to remove a password from a private SSL key.
If you have landed on this tutorial and do not have PFX certificate file please visit: Migrate (move) SSL certificate from Windows to Linux.

The certificate extraction can be done with a tool called Open SSL that you may install from the Linux server repository, or take the source from here: OpenSSL. Also you can use the Windows version: OpenSSL for Windows.

Once you have it installed go to the folder where the PFX certificate is located and execute the following commands:


Probably from the comments, you guessed already what line what is doing, but I will explain these lines briefly:

The first line will export the private key from the windows certificate and since PFX key is always exported with a password, you will be prompted to enter one. So you must have it.

The second line will export certificate from the PFX file.

Again, you will need the PFX file password in order to remove it. In fact you can use the certificate with Apache server, but whenever it is restarted you will be prompted for a passphrase. If you choose this case, forget for automated Apache restarts and take in mind that you have to enter the pass after server restart. Like this one:


My advice is to remove the password from the SSL key. If someone manage to access it on the server, this will be you’re the least of your problems.

Well, that is it. Now you can rename the key and the certificate as per your needs and to use them.

I have another tutorial related to the matter is: Renew Windows SSL certificate when no key available.
Also if you are looking for tutorial how to Extract certificates from P7B (PKCS #7) just click on the link.


Filed Under: SSL

Anthony Gee About the Author: Anthony G. is an IT specialist with more than 9 years of solid working experience in the Web Hosting industry. Currently works as server support administrator, involved in consultative discussions about Web Hosting and server administration. One of the first writers in the Onlinehowto.net website, now writing for Free Tutorials community - he is publishing tutorials and articles for the wide public, as well as specific technical solutions.

Comments (8)

  1. richard murdoch says:

    Hi how I can generate SSL CSR and Key with OpenSSL?

  2. Tonny says:

    Hi Richard,

    Here is the command line I am often using:

    openssl genrsa -rand source_file1:source_file2 -out http://www.your_domain.com.key 2048

    These source files should be a big files locate somewhere on your system.

    For example if you have big mail traffic, you can use:


    Another thing is that if you do not trust the server to add “-des3” option. This will ask and add password which will protect the key.
    So the final string will look like this:

    openssl genrsa -des3 -rand /var/log/maillog.25.gz:/var/log/maillog.26.gz -out http://www.your_domain.com.key

    One note here: (I wrote that in the tutorial above)- if you decide to use the “-des3” option, and leave your key with password, on every web server (Apache for example) will ask for the key password, and you should forget for automated webserver restarts.

  3. Tony says:

    I had few inquires about this tut to put CSR generation string. So here it is:

    openssl req -new -key key.file -out csr.file

  4. Greg says:

    So I went ahead and installed OpenSSL for Windows. I’ve exported a .pfx file with my certificate and key. You said, “Once you have it installed go to the folder where the PFX certificate is located and execute the following commands:”. How exactly do I execute those commands? I tried using the CMD prompt and got an error that said, “openssl is not reconized as an internal or external command, operable program or batch file”.

    Now what? There is no “application” with OpenSSL for Windows. How do I execute that command?

    • Anthony Gee Anthony Gee says:

      The application is located probably in Program Files\OpenSSL folder.
      To run the OpenSSL command go to CMD (command line) go to the OpenSSL for example
      cd \program files\openssl
      – and there you will be able to execute the commands as described

  5. COCL says:


    i stucked at this step:

    openssl rsa -in key.pem -out key_with_no_pw.key

    error message:
    c:\OpenSSL-Win64\bin>openssl rsa -in key.pem -out key_with_no_pw.key
    WARNING: can’t open config file: /usr/local/ssl/openssl.cnf
    unable to load Private Key
    26056:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_li
    b.c:703:Expecting: ANY PRIVATE KEY

    Please help

  6. Beni says:

    where to put this

Leave a Reply