How to split a pfx file into cert and key?
Dr. Matthias St. Pierre
Matthias.St.Pierre at ncp-e.com
Thu Feb 13 21:32:23 UTC 2020
It’s the passwort which protects the p12 file. If you were given a ‘PIN’ for your pfx file, try that.
OpenSSL calls it ‘import passwort’, because it is importing from p12 format and exporting to
Two remarks about those three commands:
If you omit the `-nodes` argument in the first command, OpenSSL will ask you for another
passwort to encrypt the private key, which I’d recommend if it’s an important key.
The third command is only necessary, if you omitted `-nodes` in the first step, because
otherwise the key already is unencrypted and has no passphrase.
1. Run the following command to export the private key: openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
2. Run the following command to export the certificate: openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
3. Run the following command to remove the passphrase from the private key: openssl rsa -in key.pem -out server.key
From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Michael Leone
Sent: Thursday, February 13, 2020 9:34 PM
To: openssl-users at openssl.org
Subject: How to split a pfx file into cert and key?
I received a pfx file from one our techs. A pfx file is a cert and key, all in one binary file. He needs me to split it out into the cert and the key, so I can create a new request from that key, and then sign a new cert for him.
(no, I don't know why he can't just create a new request. And I would revoke the old cert, except that I am unsure of the details he used in naming it, so I don't know what to revoke .. So I am stuck trying to see if I can help the guy, by creating a new request from the private key, presuming I can extract the private key ...)
Anyways, I found this set of commands
Extracting Certificate and Private Key Files from a .pfx File<https://wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File>
1. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
2. Run the following command to export the private key: openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
3. Run the following command to export the certificate: openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
4. Run the following command to remove the passphrase from the private key: openssl rsa -in key.pem -out server.key
But I'm asked for an "Import password" ..
$ sudo openssl pkcs12 -in requests/DCTRNPS001_cert.pfx -nocerts -out DCTRNPS001_key.pem -nodes
Enter Import Password:
And I have no idea what an "import" password is. It's not the password for the private key, so I don't know what it is.
Mike. Leone, <mailto:turgon at mike-leone.com<mailto:turgon at mike-leone.com>>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
This space reserved for future witticisms ...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users