- October 26, 2024
- Posted by: Editor
- Categories: Cybersecurity, Security
What You’ll Need
- Install OpenSSL – If using Windows download the version here compatible with your operating system e.g. Win64 Open SSL
- The PFX file containing the key and certificate
- Terminal or command prompt access (Windows, macOS, Linux)
A Personal Information Exchange (.pfx or .p12) certificate, also referred to as a PKCS#12 certificate is a collection of cryptographic keys, the digital certificate and the intermediary authority certificate in an encrypted format. The format allows you to transfer the certificate and its private key from one computer to another. The private key in a PFX is protected by a password so when you import the file into another web server you will need to provide the password used to decrypt and install the private key.
Key Points
A PFX file contains the SSL certificate, private key and intermediary authority certificate bundled together.
PFX files are commonly used to import and export certificates and private keys in Windows
The main difference between PFX files and standard certificate formats like CRT is the PFX includes your private key which is used for encryption and decryption.
Why You Might Need to Extract a Key and Certificate
If you’re migrating from IIS to Apache, you may realize that the certificate installed in IIS is not compatible with Apache and will need to be extracted before it can be installed in Apache.
Exporting the Certificate from IIS
Open IIS Manager on the server.
In the left-hand Connections menu, click on the server’s name.
Double-click Server Certificates in the middle pane
Find your SSL certificate in the list and click Export on the right-hand side
You will be prompted to choose a location to export the certificate as a .pfx file and provide a password to protect the private key.
Verify the PFX File Contents (optional)
openssl pkcs12 -info -in yourdomain.pfx
Extracting the Private Key
Note: If you need .pem format you can rename the exported file extensions to .pem instead of .crt or .key
Open a command prompt and enter the directory where you installed OpenSSL into
If using Windows and OpenSSL has not been added to your Windows PATH you will may need to run the command as openssl.exe
Execute the following command to export the Private Key file.
openssl pkcs12 -in [yourdomain.pfx] -nocerts -out [encrypted-keyfile.key]
- -nocerts excludes the certificates, leaving only the private key in the output
Now remove the passphrase from the Private Key
openssl rsa -in [encrypted-keyfile.key] -out [keyfile-decrypted.key]
Extracting the certificate file
openssl pkcs12 -in [yourdomain.pfx] -clcerts -nokeys -out [certificate.crt]
- -clcerts will include only the client certificate, excluding CA certificates
- -nokeys will exclude the private key from the output
If you need CA certificates you can execute the following
openssl pkcs12 -in yourdomain.pfx -cacerts -nokeys -out ca-certificates.crt
Now after extraction you should have access to
- keyfile-decrypted.key
- certificate.crt
- ca-certificates.crt
If you’re using Apache, then in your httpd-ssl conf file you can add the following lines. Your paths must match the location where you’ve copied the .crt and .key files onto your server
SSLCertificateFile /etc/ssl/servercert.crt
SSLCertificateKeyFile /etc/ssl/privatekey.key
SSLCertificateChainFile /etc/ssl/ca-certificates.crt
We’ve walked through the process of using OpenSSL to extract the private key and certificate files from a PFX file, enabling you to separate the components for use in other applications. These extracted files can now be used to configure web servers such as Apache or NGINX, secure mail servers or other services requiring SSL authentication. Always remember to keep your private key safe as it’s essential to your server’s security, especially if you removed the password for automation.
Additional Resources