Extract .crt and .key file from .pfx file in Minutes

DZone 's Guide to

Extract .crt and .key file from .pfx file in Minutes

Follow these simple and easy steps to get the crt and key file from your .pfx file using open source OpenSSl without any hurdles.

· Open Source Zone ·
Free Resource

You need to follow up below commands in order to convert files to .crt/.key easily.


  1. OpenSSL package must be installed in your system.
  2. You must have .pfx file for your chosen domain name.
  3. Windows/Ubuntu/Linux system to utilize the OpenSSL package with crt

Step 1: Extract the private key from your .pfx file

openssl pkcs12 -in [yourfilename.pfx] -nocerts -out [keyfilename-encrypted.key]

This command will extract the private key from the .pfx file. Now we need to type the import password of the .pfx file. This password is used to protect the keypair which created for .pfx file. After entering import password OpenSSL requests to type another password twice. This new password is to protect the .key file. #SafetyFirst

theraxton@ubuntu:~/Downloads/SSL-certificate$ openssl pkcs12 -in samplefilename.pfx -nocerts -out samplefilenameencrypted.key 
Enter Import Password: 
Enter PEM pass phrase: 
Verifying — Enter PEM pass phrase: 

Please note that, when you are going to enter the password, you can’t see against password, but they are typing in the back. Press enter once you entered your secure password.

Step 2: Extract .crt file from the .pfx certificate

openssl pkcs12 -in [yourfilename.pfx] -clcerts -nokeys -out [certificatename.crt]

After that, press enter and give the password for your certificate, hit enter again, after all - your certificate will be appears in the same directory.

theraxton@ubuntu:~/Downloads/SSL-certificate$ openssl pkcs12 -in samplefile.pfx -clcerts -nokeys -out samplefileencrypted.crt 
Enter Import Password:

Step 3: Extract the .key file from encrypted private key from step 1.

openssl rsa -in [keyfilename-encrypted.key] -out [keyfilename-decrypted.key]

We need to enter the import password which we created in the step 1. Now we have a certificate(.crt) and the two private keys ( encrypted and unencrypted).

theraxton@ubuntu:~/Downloads/SSL-certificate$ openssl rsa -in samplefilenameencrypted.key -out samplefilenameunencrypted.key 
Enter pass phrase for samplefilenameencrypted.key: 
writing RSA key

Now you can use .crt and .key file to run your Node / Angular / Java application with these obtained files.

What do you think about this article? — Is it helpful? — Please comment your opinion below.

domain authority, ssl cert, ssl certificate, ssl certificate faqs, web security

Published at DZone with permission of RAkshiT ShaH . See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}