How to Extract Private Key from PFX Windows

By | November 17, 2020

Sometimes, everyone has to extract the private keys and certificates from the .pfx file format, but no one can do it directly. Fortunately, there is this article that will help you to do the same. By reading the whole page, you will also be able to migrate an SSL certificate to AWS ELB because ELB requires private keys and certificates separately.

Before trying this method, keep in mind that you must have the OpenSSL installed on your Windows or Linux system. Once you have installed it on your device, please follow these steps:

  1. The first thing that you will have to do to extract the private key from PFX is to open the Windows File Explorer.
  2. Then, copy the .pfx file to a computer with OpenSSL installed, notating the file path. Keep in mind that the certificate .pfx files are usually password protected so please get the password for the .pfx file.
  3. Once you have obtained the password for the .pfx file, the next thing that should be done is to navigate to the \OpenSSL\bin\directory.
  4. After that, right click the openssl.exe file and choose Run as administrator.
  5. Please enter the command below in order to set the OpenSSL configuration:

set OPENSSL_CONF=c:\OpenSSL\bin\openssl.cnf

  1. Another command that needs to be run is below, replacing the applicable filepath\filename to match the corresponding copied .pfx file location:

pkcs12 -in C:\PathTOThePFXfile\myPFXfileNAme.pfx -out certificate.txt -nodes

  1. Then, enter the password for the .pfx file.
  2. In the end, a certificate.txt is now generated within the same directory as the referenced location in the command above.

If you want to create your certificate.crt file, please follow these steps below:

  • Firstly, open the Notepad.
  • Once it is opened, open the newly generated certificate.txt file above.
  • Please copy the part stating and including —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—.

copy the part stating and including BEGIN CERTIFICATE to END CERTIFICATE

  • The next thing that you will have to do is to make a new file by using Notepad.
  • In the new file, paste the information that you just copied.
  • After pasting it, save the file as certificate.crt and the file should be named as certificate.crt.text in the Notepad.
  • You can rename the new Notepad file extension to .crt.

If you want to create the privateKey.key file, here are the instructions that you will have to follow:

  • First of all, return to the certificate.txt file generated above.
  • Then, copy the section starting from and including  —–BEGIN PRIVATE KEY—– to —–END PRIVATE KEY—–.

privateKey.key file

  • Once it is copied, you will have to create a new file by using a thing named Notepad.
  • Afterward, paste and save the information into the new Notepad file.
  • Do not forget to save the file as privateKey.key and it should be saved as privateKey.key.txt in the Notepad.
  • After you have saved the file, rename the new Notepad file extension to .key.
  • Feel free to repeat the same copy process if you have any other corresponding certificate files needed that is provided by the certificate.txt file.
  • Now, you have the certificate.crt and privateKey.key files that are made from the certificate.pfx file.

Personal Information Exchange or PFX is the name of the file that is usually used to store a certificate and its private and public keys. For instance, if you have to transfer an SSL certificate from one windows server to another, all that you have to do is to simply export it as a .pfx file using the IIS SSL export wizard or MMC console.

What should be done if you want to open a PFX file? The best method that you can use if you want to open an PFX file is to simply double click it and allow the default associated application to open the file. in case you cannot open the file this way, it might be due to the non-existence of the correct application related to the extension to view or edit the PFX file.

As for a private key, it refers to the one that is needed by all SSL certificates to work. This one is a separate file that is usually used in the encryption or decryption of data sent between your server and connecting clients. It is created by you, the owner of the certificate, when you ask your certificate with a CSR or Certificate Signing Request. If you think that the Certificate Authority provides you a certificate, then you are wrong.

If the certificate is not yet installed, then the location of the private key might be on the computer or server where you generated the CSR. During the process of generating, you would be asked by the server to save two files for OpenSSL. The command openssl version -a can be run in order to find the folder where your key files would be saved (/usr/local/ssl by default). The OS is in charge to manage the CSRs for you on Windows (IIS). First of all, you will want to complete the request and then export the key, which the guide has been explained above.

For those who have installed the certificate, you can follow these following steps to find the private key file for a popular operating system called Windows (IIS).

As stated before, the OS will manage your certificate files for you on Windows servers in a hidden folder. However, the private key is able to be retrieved by exporting a .pfx file that has the certificate(s) and private key.

First, open the Microsoft Management Console or MMC. In the Console Root, you will have to expand the Certificates (Local Computer). Take a note that the server certificate will be placed in the Personal or Web Server sub folder. Please find and right click the certificate that is identified by the Command Name, and then choose Export and follow the guided wizard. The step will result in a .pfx file.

Depending on what is your intention with the private key, you may have to split the private key into a separate file by converting the .pfx. If you only want to save the key or install it onto another Windows server, it is already in the right format.

Leave a Reply

Your email address will not be published. Required fields are marked *