Extract key and certificate from PFX archive

19/11/2020 - 15:36
No votes yet

So you are sent a PFX (or PKCS #12) archive file and you need to somehow extract the contents into a format you can use, for example, to setup TLS on a Apache HTTP server. Luckily OpenSSL can manipulated these .pfx archive files so you get the private key and certificate out from the file easily.

Extract the private key

openssl pkcs12 -in domain.pfx -nocerts -out domain-private-key.pem

openssl with prompt for password pass phare, these you should have recieved from the same source as the .pfx file.

Enter Import Password: xxx
Enter PEM pass phrase: yyy
Verifying - Enter PEM pass phrase: yyy

If all goes well, you should now have the private key in the file domain-private-key.pem. It might contains some extra information, edit the file with your favorite text editor and remove anything before the:


line in the file.

Extract the certificate

openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain-certificate.pem

OpenSSL with prompt for a password:

Enter Import Password:

And if all goes well you should now have the certificate file, do the same as for the private key, cleanup any extras before the line:


Now you have the key and certificate, have fun configuring Apache or whatever is your target.