Tips : Using openssl to extract private key ( .pem file) from .pfx (Personal Information Exchange)
May 15, 2008 46 Comments
PFX : PFX defines a file format commonly used to store private with accompanying public key certificates, protected with a password-based symmetric key (standard-PKCS12).
PEM : Openssl usages PEM (Privacy Enhanced Mail Certificate) to store the private key.
If you have the openssl then go to command promt and run the following commands (If not, download it from openssl, you can either download binary or source and then compile).
If you want to extract private key from a pfx file and write it to PEM file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem
If you want to extract the certificate file (the signed public key) from the pfx file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem
To remove the password from the private key file.
>> openssl.exe rsa -in privateKey.pem -out private.pem
This is required as, at the time of exporting privateKey, you have added a password to the private key to secure it. If you left the password with it, it will keep asking the password as any application tries to access it.
About yadab das
Sycure 
I was trying to find out how to extract private keys out of pfx file and got it right here.
This is the best response I have seen to this question. So to the point with no crap.
I have a p12 file; wil that work? How can I use .pem files to sign? The certificate asked in the signing process should be .cer and similarly .key for the key
.pfx and .p12 extensions usually refer to the same file type, i.e. PKCS #12 format.
A .cer file is the equivalent of the publicCert.pem file, and a .key file is the equivalent of the privateKey.pem file. The .crt extension is also commonly used to represent the same file type as the .cer extension.
Note that .cer or .crt files are not ncessarily encoded in PEM format. They may also be encoded in DER format.
How do I extract the private key from the .crt Certificate file?
.crt doesn’t have the private key. So obviously you can’t extract private key from it.
Thanks for this great post – it helped me a lot!
Very useful. Right what I was looking for
This helped me out greatly. Many thanks!
Oh very nice i was searching for extracting private key from .pfx since 1 week and i found here very easily the solution….thanks Now if some one has problem related making digital certificate (.cer), .pfx, .pem etc and related how to send digitally signed email…… i mready to help b/c now i m expert in these things
mail me naeemgik@yahoo.com bye
Good article.. helped me in minutes..
OMG, you save me hours figuring out how to change private key to an RSA private key in PEM. Thank you so much.
Thanks for that post. I found the -nodes option to export the private key without any password:
openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -nodes -out privateKey.pem
Then your last command is not required anymore.
I found some website maintained by Paul Heinlein about some important openssl commands;-
http://www.madboa.com/geek/openssl/
I used this post to create a document I am passing around to friends. I made sure to credit your work in the document.
Thanks for putting this together.
Chad
Pingback: A Blog. » Howto: Copy a Certificate out of IIS and into a Coyote Traffic Management Sever - Personal Web Log of Tom Lianza
Thanks for exact steps, this is very good link. I got exactly what I required.
Hello there, You’ve done an incredible job. I will definitely digg it and personally recommend to my friends. I am sure they will be benefited from this web site.
Thanks for helping me get my keys out from the file I’d exported from Windows… I though initially I was going to be stuck with having to use only on Windows and IIS, but you helped me move!
Please let me know how to extract private key from a kdb CMS keystore.
Pingback: install trusted ssl certificate apache « exemen 's blog
Thanks so much! Found the openssl docs to be a bit obtuse. Just what I needed.
Thanks for this post.
However, it seems that everything fails miserably for me when trying to generate the RSA private key file, with the following error:
unable to load Private Key
3079219352:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY
Any thoughts? (If necessary, I can provide my OpenSSL version information).
Pingback: How to install a pfx wildcard certificate on Barracuda spamfilter « Its so Swuve
Pingback: SSL Certs - Ruckus & SmoothWall Devices. - Page 2
Pingback: Экспорт приватного ключа разработчика из MacOS X в Marmalade SDK « LG.BALUKATION's Weblog
Thanks man, that was really helpful.
Pingback: How to transfer certificates and in a smart card using OpenSC | Quak Quaks of the Ugly Duckling
So my application requires the use of the cert file and the private key file. When pointing to the private key file do I point it to privateKey.pem or private.pem?
Thanks again, awesome post!
— Mike
Reblogged this on কুচ্ছিত হাঁসের ছানা and commented:
Trying to reblog it.
Pingback: Using openssl to extract private key ( .pem file) from .pfx (Personal Information Exchange) | Quak Quaks of the Ugly Duckling
Thank you for the post. My .pfx file is password protected and I get the following message when I execute the openssl.exe pkcs12: permission denied.
Could you possiby help?
Pingback: Enable HTTPS on Liferay/Apache | My Learnings
I followed these instructions and I got this:
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
X509v3 Key Usage: 80
And not RSA PRIVATE KEY as I was expecting
Pingback: Error while getting private key from .p12 file using Org.BouncyCastle.Crypto | BlogoSfera
Pingback: Extracting Certs and Keys from .pfx and using with sqlmap | The Merry Haxor
Pingback: SSL/HTTPS within an Amazon ELB workflow - Just just easy answers
Pingback: Wyciąganie klucza SSL z pliku PFX | Darevee
Pingback: Fix Openssl Error 0906d06c Pem Windows XP, Vista, 7, 8 [Solved]
Pingback: Some command-line tips for OpenSSL and file format (pfx, p12, cer, crt, key, etc.) conversion of certificates, keys « The Wiert Corner – irregular stream of stuff
Does not work with GOST R34.10-2001:
OpenSSL> pkcs12 -in *****.pfx -nocerts -out *****.pem
Enter Import Password:
MAC verified OK
Error outputting keys and certificates
18796:error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm:.\crypto\evp\evp_pbe.c:167:TYPE=1.2.840.113549.1.12.1.80
18796:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:.\crypto\pkcs12\p12_decr.c:83:
18796:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:.\crypto\pkcs12\p12_decr.c:130:
error in pkcs12
may be you need ccgost engine configured.
Pingback: Confluence: LRS Connect Platform
how to convert .pem to.cer
Pingback: How To Create A Pfx File With Openssl | How Find Money
Pingback: Webmail with SSL Certificates | ChainRingCircus