FreeKB - OpenSSL Extract certificate and private key from a PFX or P12 file
OpenSSL - Extract certificate and private key from a PFX or P12 file

Let's say you have a pfx or p12 file that contains both a certificate and a private key. Before using OpenSSL, the file command (on Linux) can be used to ensure that foo.p7b in an ASCII file.

~]# file foo.pfx
foo.p7b: ASCII text

 

The following commands can be used to extract only the public certificate or only the private key from the .pfx or .p12 file.

Extract all certificates in the pfx

The following OpenSSL command can be used to extract all of the certifiates in the PFX file. For example, if the PFX file contains a root certificate, intermediate certificate, and server certificate, this command will extract all three certificates.

openssl pkcs12 -in foo.p12 -out bar.pem -nokeys

 

Or, the -clcerts flag can be used to only extract the server certificate.

openssl pkcs12 -in foo.p12 -out bar.pem -nokeys -clcerts

 

This command will produce a .cer or .crt file that begins with the following.

Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: example.com
subject=/C=US/ST=WI/L=Appleton…
issuer=/DC=com/DC=example…
-----BEGIN CERTIFICATE-----

 

The text before BEGIN CERTIFICATE can cause issues when the certificate is imported into a trust store. If the certificate begins with this additional data, modify the .crt file so that the .crt file begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. Then the openssl x509 -text -noout -in bar.pem command can be used to ensure the file has the correct data, such as the expected issuer and expiration date.

-----BEGIN CERTIFICATE-----
. . .
-----END CERTIFICATE-----

 


Extract the private key

This will export the private key.

openssl pkcs12 -in foo.p12 -out bar.key -nodes -nocerts

 

If the .pfx or .p12 file is password protected, you will be prompted for the password. Or, the -passin option can be used.

openssl pkcs12 -in foo.p12 -out bar.key -nodes -nocerts -passin pass:your_password

 

If the key is successfully extracted, the following should be displayed.

MAC verified OK

 

This command will produce a .key file that begins with the following. The text before BEGIN PRIVATE KEY can cause issues when the certificate is imported into a key store. If the certificate begins with this additional data, modify the .key file so that the .key file begins with -----BEGIN PRIVATE KEY----- and ends with -----END PRIVATE KEY-----.

Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: example.com
subject=/C=US/ST=WI/L=Appleton…
issuer=/DC=com/DC=example…
-----BEGIN PRIVATE KEY-----

 

bar.key should now contain something like this.

-----BEGIN PRIVATE KEY-----
. . .
-----END PRIVATE KEY-----

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter 8a60b in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |