SSL certificates use two important key files called public and private keys to make the connection more secure.  The private key is the most important part of the SSL certificate, that we will not get from our Certificate Authority, they provide only Certificate files, Intermediate Certificate files, and Root Certificate.  We have to generate the Private Key using the certificate files that were shared from Certificate Authority, it has a few steps followed though. Hence in this article, I will walk you through the step to extract the Private Key from PFX Certificate file using OpenSSL commands. Moreover, I will explain how to run the OpenSSL commands in Windows machines.

OpenSSL command to extract Private Key from PFX

pkcs12 -in {certificate-pfx-format} -nocerts -nodes -out {private-key-file-name}

Example:

pkcs12 -in certificate-name.pfx -nocerts -nodes -out private-key.pem

Steps to Extract Private Key from PFX Certificate file in Windows

Step 1:  Considering you already have a PFX certificate file, so go to Step 2.

If you don’t have a PFX certificate file, do the Certificate complete process and then Export the PFX certificate from the IIS.

To do the Certificate Complete Process, check this article I have explained the simple steps to make it done.

Once you have done the certificate complete process, you need to export the PFX certificate file. To know how to export the PFX certificate file, check this article.

Step 2: Keep the PFX certificate file aside. Now Download the OpenSSL source file from this link. This is the older version but works perfectly fine.

Step 3: Once the file is downloaded to your windows machine, unzip the file. Then go to the bin folder, refer to the screenshot below,

Then double click on the “openssl” application file inside the bin folder.

Step 4: This will open the OpenSSL command window. Here you need to execute the command.

Step 5: To extract the Private Key from PFX Certificate file, paste the PFX certificate file inside the bin folder like below,

So, you don’t need to worry about mentioning the path of the certificate file in the command.

Step 6: Use the following command to extract the private key from PFX file.

pkcs12 -in certificate-file.pfx -nocerts -nodes -out private-key.pem

This will ask for PFX Password that you used while exporting it. Enter the password as input,

Use -nodes property if you want unencrypted private key as output.  If you ignored this property, you would get encrypted private key. This will not be useful when bind SSL certificate to any apps/website. You will get invalid RSA Private Key error if you use the encrypted private key file.

Step 7: Once entered the Import Password, you will get MAC verified OK message if it is a success.

That’s it. The Private Key file will generate and stored in the bin folder.

You could open the Private key file in notepad, the content will be in the below structure.

Bag Attributes
       localKeyID: 4F 36 11 33 48 42 67 AA B5 05 A2 80 44 18 2E 
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----             
-------------------------
-------------------------
-----END RSA PRIVATE KEY-----

You can delete the first 3 following lines,  

Bag Attributes
       localKeyID: 4F 36 11 33 48 42 67 AA B5 05 A2 80 44 18 2E 
Key Attributes: <No Attributes>

Then save the modified Private Key file, which will be in the following structure,

-----BEGIN RSA PRIVATE KEY-----             
-------------------------
-------------------------
-----END RSA PRIVATE KEY-----

You can also save as the .PEM extension private key file to .KEY extension and vice versa works.

I hope this article helps you that how to use OpenSSL commands in a windows machine to extract the Private Key from PFX certificate file.

Check this article know how to create pfx file using OpenSSL command,