Export Certificates and Private Key from a PKCS#12 File with OpenSSL

Note: This article does not apply to SSL.com code signing and document signing certificates. The private keys of these types of certificates cannot be exported and they cannot be generated as .pfx files. SSL.com code signing and document signing certificates and their private keys can only be generated and stored in the eSigner cloud signing environment, a Yubikey device, or a supported Cloud HSM.

This how-to will walk you through extracting information from a PKCS#12 file with OpenSSL. PKCS#12 (also known as PKCS12 or PFX) is a binary format for storing a certificate chain and private key in a single, encryptable file. PKCS#12 files are commonly used to import and export certificates and private keys on Windows and macOS computers, and usually have the filename extensions .p12 or .pfx.

For more helpful how-tos and the latest cybersecurity news, sign up for SSL.com’s newsletter here:

What is OpenSSL?
OpenSSL is a very useful open-source command-line toolkit for working with X.509 certificates, certificate signing requests (CSRs), and cryptographic keys. If you are using a UNIX variant like Linux or macOS, OpenSSL is probably already installed on your computer. If you would like to use OpenSSL on Windows, you can enable Windows 10’s Linux subsystem or install Cygwin. You can also easily create a PKCS#12 file with openSSL.

SSL.com provides a wide variety of SSL/TLS server certificates for HTTPS websites.

COMPARE SSL/TLS CERTIFICATES

Video

https://www.youtube.com/watch?v=S_imVMFOdhU

In all of the examples shown below, substitute the names of the files you are actually working with for INFILE.p12, OUTFILE.crt, and OUTFILE.key.

View PKCS#12 Information on Screen

To dump all of the information in a PKCS#12 file to the screen in PEM format, use this command:

openssl pkcs12 -info -in INFILE.p12 -nodes

You will then be prompted for the PKCS#12 file’s password:

Enter Import Password:

Type the password entered when creating the PKCS#12 file and press enter. OpenSSL will output any certificates and private keys in the file to the screen:

Bag Attributes
    localKeyID: AC 3E 77 9A 99 62 84 3D 77 CB 44 0D F9 78 57 7C 08 28 05 97 
subject=/CN=Aaron  Russell/emailAddress=*********@gmail.com
issuer=/C=US/ST=Texas/L=Houston/O=SSL Corp/CN=SSL.com Client Certificate Intermediate CA RSA R1
-----BEGIN CERTIFICATE-----
MIIF1DCCA7ygAwIBAgIQcOrAJCMayJsZBKJsyz/aQDANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24x
ETAPBgNVBAoMCFNTTCBDb3JwMTowOAYDVQQDDDFTU0wuY29tIENsaWVudCBDZXJ0

...

bwK6ABAZUq6QcvhD0LYsXya+ncDCR6wxb9E0DWd4ATQMzxGTu/yE3kT+9Ef6IY+n
armh3HZUfan2Hb64YD0tjLMca/PC+sKAZu28gB/3HQRHIFugvh6RO3bIoorl0jUg
1Ml2r83++biS0HL6JdcwuuUF
-----END PRIVATE KEY-----

Encrypt Private Key

If you would like to encrypt the private key and protect it with a password before output, simply omit the -nodes flag from the command:

openssl pkcs12 -info -in INFILE.p12

In this case, you will be prompted to enter and verify a new password after OpenSSL outputs any certificates, and the private key will be encrypted (note that the text of the key begins with -----BEGIN ENCRYPTED PRIVATE KEY-----):

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIGwhJIMXRiLQCAggA
MBQGCCqGSIb3DQMHBAiXdeymTYuedgSCBMjwGg78PsqiNJLfpDFbMxL98u3tK9Cs

...

SGVCCBj5vBpSbBXAGbOv74h4satKmAMgGc8SgU06geS9gFgt/wLwehMJ/H4BSmex
4S/2tYzZrDBJkfH9JpggubYRTgwfAGY2BkX03dK2sqfu+QVTVTKMj2VI0sKcFfLZ
bdw=
-----END ENCRYPTED PRIVATE KEY-----

Extract Only Certificates or Private Key

If you only want to output the private key, add -nocerts to the command:

openssl pkcs12 -info -in INFILE.p12 -nodes -nocerts

If you only need the certificates, use -nokeys (and since we aren’t concerned with the private key we can also safely omit -nodes):

openssl pkcs12 -info -in INFILE.p12 -nokeys

Save Certificates and Private Keys to Files

You can export the certificates and private key from a PKCS#12 file and save them in PEM format to a new file by specifying an output filename:

openssl pkcs12 -in INFILE.p12 -out OUTFILE.crt -nodes

Again, you will be prompted for the PKCS#12 file’s password. As before, you can encrypt the private key by removing the -nodes flag from the command and/or add -nocerts or -nokeys to output only the private key or certificates. So, to generate a private key file, we can use this command:

openssl pkcs12 -in INFILE.p12 -out OUTFILE.key -nodes -nocerts

And to create a file including only the certificates, use this:

openssl pkcs12 -in INFILE.p12 -out OUTFILE.crt -nokeys

Convert Private Key to PKCS#1 Format

The examples above all output the private key in OpenSSL’s default PKCS#8 format. If you know you need PKCS#1 instead, you can pipe the output of the OpenSSL’s PKCS#12 utility to its RSA or EC utility depending on the key type. Both of the commands below will output a key file in PKCS#1 format:

RSA

openssl pkcs12 -in INFILE.p12 -nodes -nocerts | openssl rsa -out OUTFILE.key

ECDSA

openssl pkcs12 -in INFILE.p12 -nodes -nocerts | openssl ec -out OUTFILE.key

Note: You can tell the difference between PKCS#8 and PKCS#1 private key files by looking at the first line of text. PKCS#1 files will specify the algorithm:
-----BEGIN RSA PRIVATE KEY-----

PKCS#8 files do not show the algorithm, and may also be encrypted:
-----BEGIN PRIVATE KEY-----
or
-----BEGIN ENCRYPTED PRIVATE KEY-----


Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.

Subscribe To SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.