Ελληνικά
PFX (Personal Information Exchange) is a file format used to store cryptographic information in a single file. One type of information held within a PFX file is SSL Certificate chains along with the Private Key.
In this article we will explain the reasons one may want to extract the certificates from a .PFX file and the exact steps on how to do it using OpenSSL.
Why Extract Certificates from Single .PFX File
Extracting certificates and private keys from a .pfx file can be necessary in various scenarios, particularly when managing SSL/TLS certificates, application deployments, or secure communications.
1. Application Requirements
Some applications or servers require separate files for certificates and private keys instead of a combined .pfx file:
Web Servers
Servers like Apache or Nginx require the private key and certificates to be in PEM format (.key and .crt files).
Load Balancers
Many load balancers such as HAProxy require the certificate chain (.crt) and private key in specific formats.
Mail Servers
Email software like Zimbra often require separate key and certificate files.
2. Compatibility & Migration
A .pfx file (PKCS#12) is mainly used in Windows systems whereas .pem, .crt and .key are using in Linux. For example, in cases when a wildcard SSL certificate is installed on a Windows Server and then a developer wants to install it in Linux, the certificates must be extracted from the .pfx file prior installing them on a Linux environment (web server, proxy, etc).
3. Easy Renewal & Replacement
Extracting the Private Key from a .PFX is useful in cases of SSL renewal, when one needs to quickly issue a renewed certificate, without going through the hassle of CSR generation.
Best Way to Extract Certificates and Private Key from PFX file
OpenSSL is the utility with which we can extract certifcates and private key from a .pfx file.
In Linux systems use the following command to install openssl:
john@localhost:~$ sudo apt install openssl -yIf you are a Windows user, please visit OpenSSL’s Wiki for instructions on how to download and install OpenSSL for Windows.
Case 1: Extract all Certificates and Private Key in Single PEM file
The following command will extract all certificates (end-entity certificate, intermediate, root certificate s) and private key in a single .pem file.
john@localhost:~$ sudo openssl pkcs12 -in yourPFXFile.pfx -out yourExtractedFile.pem -nodesCase 2: Extract all Certificates and Private Key in Individual Files
In case you want to have each certificate (end-entity, intermediate, root, private key) in separate files, use the following commands:
Extract the private key:
john@localhost:~$ sudo openssl pkcs12 -in yourPFXFile.pfx -nocerts -nodes -out yourExtractedKey.pemExtract the end-entity certificate:
john@localhost:~$ sudo openssl pkcs12 -in yourPFXFile.pfx -clcerts -nokeys -out yourExtractedEntityCert.pemExtract the intermediate and root (if any) certificates:
john@localhost:~$ sudo openssl pkcs12 -in yourPFXFile.pfx -cacerts -nokeys -out yourExtractedChain.pemCongratulations! If you followed the above steps you should have successfully extracted your desired certificates and private key from PFX file.
