TL;DR — This 7-minute guide will help you convert your .pfx file into .crt or .key file from the encrypted key using OpenSSL Commands for free. I kept 3 minutes as a buffer 😉. Using this trick, You can —
- Convert PFX to CRT
- Convert PFX to KEY
- Extract private key from PFX
- OpenSSL commands for SSL certificates
- PFX to PEM conversion
Are you looking for extracting private key from PFX? — You are on right place.
Install OpenSSL:
OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. For more information, you can visit the official website.
Let’s say, you have already got the .pfx certificate from the SSL providers/registrars like network solution, godaddy, bigrock etc., then you are good to follow up the below steps without any hurdles.
You need to follow up below commands in order to convert files to .crt/.key easily.
Prerequisites for Converting PFX Files
- OpenSSL package must be installed in your system.
- You must have .pfx file for your chosen domain name.
- Windows/Ubuntu/Linux system to utilize the OpenSSL package with crt
Image : pfx to crt and key | Image ©️ by Author Rakshit Shah
Step 1: Extract private key from PFX
- Question: How do I extract a private key from a PFX file using OpenSSL?
- Answer: You can extract the private key from a PFX file using the following OpenSSL command:
openssl pkcs12 -in [yourfilename.pfx] -nocerts -out [keyfilename-encrypted.key]
This command will extract the private key from the .pfx file. Now we need to type the import password of the .pfx file. This password is used to protect the keypair that was created for the .pfx file. After entering the import password OpenSSL requests to type another password twice. This new password is to protect the .key file. #SafetyFirst
theraxton@ubuntu:~/Downloads/SSL-certificate$ openssl pkcs12 -in samplefilename.pfx -nocerts -out samplefilenameencrypted.key Enter Import Password: Enter PEM pass phrase: Verifying — Enter PEM pass phrase: theraxton@ubuntu:~/Downloads/SSL-certificate$
Please note that, when you are going to enter the password, you can’t see against password, but they are typing in the back. Press enter once you entered your secure password.
Step 2: Convert PFX to CRT [Extract .crt file from the .pfx certificate]
openssl pkcs12 -in [yourfilename.pfx] -clcerts -nokeys -out [certificatename.crt]
After that, press enter and give the password for your certificate, and hit enter again, after all — your certificate will appear in the same directory.
theraxton@ubuntu:~/Downloads/SSL-certificate$ openssl pkcs12 -in samplefile.pfx -clcerts -nokeys -out samplefileencrypted.crt Enter Import Password:
Step 3: Convert PFX to KEY [Generate .KEY File Using OpenSSL]
[Extract the .key file from the encrypted private key from step 1]
openssl rsa -in [keyfilename-encrypted.key] -out [keyfilename-decrypted.key]
We need to enter the import password which we created in step 1. Now we have a certificate(.crt) and the two private keys ( encrypted and unencrypted).
theraxton@ubuntu:~/Downloads/SSL-certificate$ openssl rsa -in samplefilenameencrypted.key -out samplefilenameunencrypted.key Enter pass phrase for samplefilenameencrypted.key: writing RSA key
Now that you have successfully converted your PFX file into .crt and .key files, you can seamlessly use them in your Node / Angular / Java applications. Have any issues? Drop a comment below!
If you find joy and value in what I do, please consider supporting my work with a donation — however much you can afford, it means and helps more than you can imagine.
Discover more from 9Mood
Subscribe to get the latest posts sent to your email.
I tried like mentioned above: it worked for me!
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx
Hello Alpesh, thanks for sharing the answer with command.
I have replaced certificate.cer with certificate.crt and it worked for me.
Welldone, I have something for you to add in your answer. It might help people who are looking for this issue.
If you have a self-signed certificate generated by makecert.exe on a Windows machine, you will get two files: cert.pvk and cert.cer. These can be converted to a pfx using pvk2pfx
pvk2pfx is found in the same location as makecert (e.g. C:\Program Files (x86)\Windows Kits\10\bin\x86 or similar)
pvk2pfx -pvk cert.pvk -spc cert.cer -pfx cert.pfx
You need to use the makecert tool.
Open a command prompt as admin and type the following:
Command:
makecert -sky exchange -r -n “CN=” -pe -a sha1 -len 2048 -ss My “.cer”
Where = the name of your cert to create.
Then you can open the Certificate Manager snap-in for the management console by typing certmgr.msc in the Start menu, click personal > certificates > and your cert should be available.
Here is an article. check this out-
https://azure.microsoft.com/documentation/articles/cloud-services-certs-create/
# Solution for Windows that doesn’t require OpenSSL installed #
I recently was trying to solve the same issue – and I only had a windows laptop with no openssl installed (and no enough admin rights to install it). Turns out windows has built-in utility called certutil that is capable of combining .crt and .key files into .pfx. Docs are here.
You need to create a new folder and place you .crt and key files in it. Rename both files to have the same name (but different extension):
{{sitename}}.crt
{{siteName}}.key
In case your key file is a regular txt – just change extension to .key.
After that open cmd in that folder and run certutil -mergepfx [INPUTFILE] [OUTPUTFILE]
Example:
certificate file: mySite.crt
key file: mySite.key
certutil command: certutil -mergepfx mySite.crt mySite.pfx
Note: you will be asked to provide password for newly created .pfx file – don’t forget to memorise/store it – as it will be required during certificate import on the target system.
Awesome, this article worked for me…
I created .pfx file from .key and .pem files.
Like this >> openssl pkcs12 -inkey rootCA.key -in rootCA.pem -export -out rootCA.pfx
That’s not the direct answer but still maybe it helps out someone else.
“The key file is just a text file with your private key in it.” True, except when it isn’t.