OpenSSL: Extract Private Key

1. Extract the Private Key

openssl pkcs12 -in yourfile.pfx -nocerts -out private.key

• You’ll be prompted for the PFX password.

• This exports the private key in encrypted format.

If you want an unencrypted private key (optional):

openssl rsa -in private.key -out private_unencrypted.key

---

2. Extract the Certificate

openssl pkcs12 -in yourfile.pfx -clcerts -nokeys -out certificate.crt

• This will extract the client certificate and exclude the private key.

---

3. (Optional) Extract the CA Chain

openssl pkcs12 -in yourfile.pfx -cacerts -nokeys -chain -out ca_bundle.crt

---

4. Verify the Certificate

bashCopyEditopenssl x509 -in certificate.crt -text -noout

To verify if the certificate and private key match:

bashCopyEditopenssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5

• If the MD5 hashes match, your certificate and key match.

---

REFERENCES

• https://betterstack.com/community/questions/how-to-convert-pem-to-crt-and-key/