How to split a pfx file into cert and key?

Michael Leone turgon at
Thu Feb 13 20:33:35 UTC 2020

I received a pfx file from one our techs. A pfx file is a cert and key, all
in one binary file. He needs me to split it out into the cert and the key,
so I can create a new request from that key, and then sign a new cert for

(no, I don't know why he can't just create a new request. And I would
revoke the old cert, except that I am unsure of the details he used in
naming it, so I don't know what to revoke .. So I am stuck trying to see if
I can help the guy, by creating a new request from the private key,
presuming I can extract the private key ...)

Anyways, I found this set of commands

Extracting Certificate and Private Key Files from a .pfx File

   1. Note: the *.pfx file is in PKCS#12 format and includes both the
   certificate and the private key.
   2. Run the following command to export the private key: openssl pkcs12
   -in certname.pfx -nocerts -out key.pem -nodes
   3. Run the following command to export the certificate: openssl pkcs12
   -in certname.pfx -nokeys -out cert.pem
   4. Run the following command to remove the passphrase from the private
   key: openssl rsa -in key.pem -out server.key

But I'm asked for an "Import password" ..

$ sudo openssl pkcs12 -in requests/DCTRNPS001_cert.pfx -nocerts -out
DCTRNPS001_key.pem -nodes
Enter Import Password:

And I have no idea what an "import" password is. It's not the password for
the private key, so I don't know what it is.

Pointers, anyone?


Mike. Leone, <mailto:turgon at>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <>

This space reserved for future witticisms ...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list