How to extract root and server certificates from the PKCS#12 (.pfx) certificate

News Knowledge Base
1

How to extract the server certificate, private key, and root CA certificate from a PKCS#12 (.pfx) file?

Issue description:

How to extract the server certificate, private key, and root CA certificate from a PKCS#12 (.pfx) file?

Resolution:

A .pfx file, also known as a PKCS#12 file, is a bundle that may contain a private key, the public certificate, and intermediate or root CA certificates.

To use the .pfx file in applications requiring individual certificate or key files, it’s often necessary to extract components using tools like OpenSSL:

  • The private key can be extracted separately if needed.
  • The public certificate and CA chain can also be separated for easier integration.

Below are the set of commands to extract the relevant certificates that are required to manage the certificates in the Automation suite cluster:

openssl pkcs12 -in rpadev.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > server.key 

openssl pkcs12 -in rpadev.pfx -clcerts -nokeys | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > server.crt


openssl pkcs12 -in rpadev.pfx -cacerts -nokeys -chain | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > rootca.crt

1. Extracting the Private Key

openssl pkcs12 -in rpadev.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > server.key
  • Purpose: Extracts the private key from rpadev.pfx and saves it in server.key.
  • Explanation:
    • openssl pkcs12 -in rpadev.pfx -nocerts -nodes: This part loads the .pfx file, excludes certificates (-nocerts), and extracts the private key without encryption (-nodes).
    • sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p': This command filters the output to only include the private key section between -BEGIN PRIVATE KEY- and -END PRIVATE KEY-.

2. Extracting the Public Certificate

openssl pkcs12 -in rpadev.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.crt
  • Purpose: Extracts the public certificate from rpadev.pfx and saves it in server.crt.
  • Explanation:
    • openssl pkcs12 -in rpadev.pfx -clcerts -nokeys: Loads the .pfx file, extracts only the client certificate (-clcerts) without the private key (-nokeys).
    • sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p': Filters the output to include only the public certificate.

3. Extracting the CA Certificates

openssl pkcs12 -in rpadev.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > rootca.crt
  • Purpose: Extracts the CA certificate(s) from rpadev.pfx and saves them in rootca.crt.
  • Explanation:
    • openssl pkcs12 -in rpadev.pfx -cacerts -nokeys -chain: Loads the .pfx file, extracts only the CA certificates (-cacerts), and excludes the private key (-nokeys) as well as any intermediate certificates (-chain).
    • sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p': Filters to include only CA certificates.