Tips : Using openssl to extract private key ( .pem file) from .pfx (Personal Information Exchange)

PFX : PFX defines a file format commonly used to store private with accompanying public key certificates, protected with a password-based symmetric key (standard-PKCS12).
PEM : Openssl usages PEM (Privacy Enhanced Mail Certificate) to store the private key.
If you have the openssl then go to command promt and run the following commands (If not, download it from openssl, you can either download binary or source and then compile).

If you want to extract private key from a pfx file and write it to PEM file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem
If you want to extract the certificate file (the signed public key) from the pfx file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem
To remove the password from the private key file.
>> openssl.exe rsa -in privateKey.pem -out private.pem
This is required as, at the time of exporting privateKey, you have added a password to the private key to secure it. If you left the password with it, it will keep asking the password as any application tries to access it.


About yadab das
Software Developer{writing,debugging,documenting} source code

46 Responses to Tips : Using openssl to extract private key ( .pem file) from .pfx (Personal Information Exchange)

  1. SK says:

    I was trying to find out how to extract private keys out of pfx file and got it right here.

  2. christucker says:

    This is the best response I have seen to this question. So to the point with no crap.

    • Supriya Tenany says:

      I have a p12 file; wil that work? How can I use .pem files to sign? The certificate asked in the signing process should be .cer and similarly .key for the key

      • NLE says:

        .pfx and .p12 extensions usually refer to the same file type, i.e. PKCS #12 format.

        A .cer file is the equivalent of the publicCert.pem file, and a .key file is the equivalent of the privateKey.pem file. The .crt extension is also commonly used to represent the same file type as the .cer extension.

        Note that .cer or .crt files are not ncessarily encoded in PEM format. They may also be encoded in DER format.

  3. Sandip says:

    How do I extract the private key from the .crt Certificate file?

  4. DerGolo says:

    Thanks for this great post – it helped me a lot!

  5. FC says:

    Very useful. Right what I was looking for

  6. Mike says:

    This helped me out greatly. Many thanks!

  7. Naeem Shah says:

    Oh very nice i was searching for extracting private key from .pfx since 1 week and i found here very easily the solution….thanks Now if some one has problem related making digital certificate (.cer), .pfx, .pem etc and related how to send digitally signed email…… i mready to help b/c now i m expert in these things
    mail me bye

  8. santosh says:

    Good article.. helped me in minutes..

  9. Appreciated says:

    OMG, you save me hours figuring out how to change private key to an RSA private key in PEM. Thank you so much.

  10. NLE says:

    Thanks for that post. I found the -nodes option to export the private key without any password:

    openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -nodes -out privateKey.pem

    Then your last command is not required anymore.

  11. yadab das says:

    I found some website maintained by Paul Heinlein about some important openssl commands;-

  12. chad markley says:

    I used this post to create a document I am passing around to friends. I made sure to credit your work in the document.

    Thanks for putting this together.


  13. Pingback: A Blog. » Howto: Copy a Certificate out of IIS and into a Coyote Traffic Management Sever - Personal Web Log of Tom Lianza

  14. Sanjeev says:

    Thanks for exact steps, this is very good link. I got exactly what I required.

  15. Hello there, You’ve done an incredible job. I will definitely digg it and personally recommend to my friends. I am sure they will be benefited from this web site.

  16. Andy says:

    Thanks for helping me get my keys out from the file I’d exported from Windows… I though initially I was going to be stuck with having to use only on Windows and IIS, but you helped me move!

  17. suddapalli says:

    Please let me know how to extract private key from a kdb CMS keystore.

  18. Pingback: install trusted ssl certificate apache « exemen 's blog

  19. FatSean says:

    Thanks so much! Found the openssl docs to be a bit obtuse. Just what I needed.

  20. Tyson Key says:

    Thanks for this post.

    However, it seems that everything fails miserably for me when trying to generate the RSA private key file, with the following error:

    unable to load Private Key
    3079219352:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY

    Any thoughts? (If necessary, I can provide my OpenSSL version information).

  21. Pingback: How to install a pfx wildcard certificate on Barracuda spamfilter « Its so Swuve

  22. Pingback: SSL Certs - Ruckus & SmoothWall Devices. - Page 2

  23. Pingback: Экспорт приватного ключа разработчика из MacOS X в Marmalade SDK « LG.BALUKATION's Weblog

  24. কুচ্ছিত হাঁসের ছানা says:

    Thanks man, that was really helpful.

  25. Pingback: How to transfer certificates and in a smart card using OpenSC | Quak Quaks of the Ugly Duckling

  26. Mike says:

    So my application requires the use of the cert file and the private key file. When pointing to the private key file do I point it to privateKey.pem or private.pem?

    Thanks again, awesome post!

    — Mike

  27. কুচ্ছিত হাঁসের ছানা says:

    Reblogged this on কুচ্ছিত হাঁসের ছানা and commented:
    Trying to reblog it.

  28. Pingback: Using openssl to extract private key ( .pem file) from .pfx (Personal Information Exchange) | Quak Quaks of the Ugly Duckling

  29. jerome says:

    Thank you for the post. My .pfx file is password protected and I get the following message when I execute the openssl.exe pkcs12: permission denied.
    Could you possiby help?

  30. Pingback: Enable HTTPS on Liferay/Apache | My Learnings

  31. Greg says:

    I followed these instructions and I got this:
    Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
    Key Attributes
    X509v3 Key Usage: 80

    And not RSA PRIVATE KEY as I was expecting :/

  32. Pingback: Error while getting private key from .p12 file using Org.BouncyCastle.Crypto | BlogoSfera

  33. Pingback: Extracting Certs and Keys from .pfx and using with sqlmap | The Merry Haxor

  34. Pingback: SSL/HTTPS within an Amazon ELB workflow - Just just easy answers

  35. Pingback: Wyciąganie klucza SSL z pliku PFX | Darevee

  36. Pingback: Fix Openssl Error 0906d06c Pem Windows XP, Vista, 7, 8 [Solved]

  37. Pingback: Some command-line tips for OpenSSL and file format (pfx, p12, cer, crt, key, etc.) conversion of certificates, keys « The Wiert Corner – irregular stream of stuff

  38. Does not work with GOST R34.10-2001:
    OpenSSL> pkcs12 -in *****.pfx -nocerts -out *****.pem
    Enter Import Password:
    MAC verified OK
    Error outputting keys and certificates
    18796:error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm:.\crypto\evp\evp_pbe.c:167:TYPE=1.2.840.113549.
    18796:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:.\crypto\pkcs12\p12_decr.c:83:
    18796:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:.\crypto\pkcs12\p12_decr.c:130:
    error in pkcs12

  39. Pingback: Confluence: LRS Connect Platform

  40. param says:

    how to convert .pem to.cer

  41. Pingback: How To Create A Pfx File With Openssl | How Find Money

  42. Pingback: Webmail with SSL Certificates | ChainRingCircus

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: