How to split a pfx file into cert and key?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How to split a pfx file into cert and key?

Michael Leone
I received a pfx file from one our techs. A pfx file is a cert and key, all in one binary file. He needs me to split it out into the cert and the key, so I can create a new request from that key, and then sign a new cert for him.

(no, I don't know why he can't just create a new request. And I would revoke the old cert, except that I am unsure of the details he used in naming it, so I don't know what to revoke .. So I am stuck trying to see if I can help the guy, by creating a new request from the private key, presuming I can extract the private key ...)

Anyways, I found this set of commands


  1. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
  2. Run the following command to export the private key: openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
  3. Run the following command to export the certificate: openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
  4. Run the following command to remove the passphrase from the private key: openssl rsa -in key.pem -out server.key 

But I'm asked for an "Import password" ..

$ sudo openssl pkcs12 -in requests/DCTRNPS001_cert.pfx -nocerts -out DCTRNPS001_key.pem -nodes
Enter Import Password:

And I have no idea what an "import" password is. It's not the password for the private key, so I don't know what it is.

Pointers, anyone?

--

Mike. Leone, <mailto:[hidden email]>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...
Reply | Threaded
Open this post in threaded view
|

RE: How to split a pfx file into cert and key?

Matthias St. Pierre

 

It’s the passwort which protects the p12 file. If you were given a ‘PIN’ for your pfx file, try that.

OpenSSL calls it ‘import passwort’, because it is importing from p12 format and exporting to

pem format.

 

Two remarks about those three commands:

 

If you omit the  `-nodes` argument in the first command, OpenSSL will ask you for another

passwort to encrypt the private key, which I’d recommend if it’s an important key.

The third command is only necessary, if you omitted `-nodes` in the first step, because

otherwise the key already is unencrypted and has no passphrase.

1.      Run the following command to export the private key: openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

2.      Run the following command to export the certificate: openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

3.      Run the following command to remove the passphrase from the private key: openssl rsa -in key.pem -out server.key 

HTH,

Matthias

 

 

 

 

From: openssl-users <[hidden email]> On Behalf Of Michael Leone
Sent: Thursday, February 13, 2020 9:34 PM
To: [hidden email]
Subject: How to split a pfx file into cert and key?

 

I received a pfx file from one our techs. A pfx file is a cert and key, all in one binary file. He needs me to split it out into the cert and the key, so I can create a new request from that key, and then sign a new cert for him.

 

(no, I don't know why he can't just create a new request. And I would revoke the old cert, except that I am unsure of the details he used in naming it, so I don't know what to revoke .. So I am stuck trying to see if I can help the guy, by creating a new request from the private key, presuming I can extract the private key ...)

 

Anyways, I found this set of commands

 

<a href="https://wiki.cac.washington.edu/display/infra/Extracting&#43;Certificate&#43;and&#43;Private&#43;Key&#43;Files&#43;from&#43;a&#43;.pfx&#43;File">Extracting Certificate and Private Key Files from a .pfx File

<a href="https://wiki.cac.washington.edu/display/infra/Extracting&#43;Certificate&#43;and&#43;Private&#43;Key&#43;Files&#43;from&#43;a&#43;.pfx&#43;File">https://wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File  

 

  1. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.

2.      Run the following command to export the private key: openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

3.      Run the following command to export the certificate: openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

4.      Run the following command to remove the passphrase from the private key: openssl rsa -in key.pem -out server.key 

 

But I'm asked for an "Import password" ..

 

$ sudo openssl pkcs12 -in requests/DCTRNPS001_cert.pfx -nocerts -out DCTRNPS001_key.pem -nodes
Enter Import Password:

 

And I have no idea what an "import" password is. It's not the password for the private key, so I don't know what it is.

 

Pointers, anyone?

 

--


Mike. Leone, <mailto:[hidden email]>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...