Convert .pfx to separate certificate and private key file

SSL certificates generated/exported via Windows are usually in the .pfx format. However some applications such as Linux or Java based applications require the certificate and private key to be in separate files. With the commands below you can export the individual parts from the .pfx file.

1. Export certificate and private key from .pfx with OpenSSL

Run the commands below on a system that has OpenSSL installed. On most Linux systems OpenSSL is installed by default, so there it should work out-of-the-box:

// Generates an encrypted private key file
openssl pkcs12 -in "[pfx filename here].pfx" -nocerts -out "encryptedPrivateKey.pem" -passin "pass:[password of certificate here]" -passout "pass:[password of certificate here]"

// Decrypts it
openssl rsa -in "encryptedPrivateKey.pem" -out "privateKey.pem" -passin "pass:[password of certificate here]"

// Generates the certificate file:
openssl pkcs12 -in "[pfx filename here].pfx" -clcerts -nokeys -out "certificate.crt" -passin "pass:[password of certificate here]"

// Generate the chain file:
openssl pkcs12 -in "[pfx filename here].pfx" -cacerts -nokeys -out "certificateChain.crt" -passin "pass:[password of certificate here]"

By Leendert de Borst

Freelance software architect with 10+ years of experience. Expert in translating complex technical problems into creative & simple solutions.