OpenSSL - Convert a .pfx certificate to a .pvk private key and a .cer certificate

Page 1 / 1

In some cases, you need to export the private key of a ".pfx" certificate in a ".pvk" file and the certificate in a ".cer" file.

For example :
To generate certificates with makecert but by using your certification authority created on Windows Server.
Knowing that Windows Server offers only export formats ".pfx" and ".cer" for this authority certificate, you must follow this tutorial to use this authority with makecert.

Prerequisites :
- OpenSSL 1.x

  1. OpenSSL Installation
  2. Export the private key (.pvk) from the certificate (.pfx)
  3. Exporting the ".cer" certificate from the ".pfx" certificate
  4. Preview of obtained files

1. OpenSSL Installation

To begin, download "OpenSSL", unzip the downloaded zip file and navigate to the "bin" folder.

To avoid OpenSSL say you "WARNING: can't open config file: C:/OpenSSL/openssl.cnf", copy the contents of the "bin" folder in the "C:\OpenSSL" folder (that you must create) .

2. Export the private key (.pvk) from the certificate (.pfx)

To begin, start a command prompt (cmd) and type this :

Batch

cd C:\OpenSSL

Then, export the private key of the ".pfx" certificate to a ".pem" file like this :

Batch

openssl pkcs12 -in cert.pfx -nocerts -nodes -out key.pem

OpenSSL will ask you for the password that protects the private key included in the ".pfx" certificate.
If the password is correct, OpenSSL display "MAC verified OK".

Then, open the "key.pem" file with WordPad (included with Windows) or Notepad++, delete lines that are above the line "-----BEGIN PRIVATE KEY-----" and save this file under the same name.
Your file will should look like this :

-----BEGIN PRIVATE KEY-----
Several lines of letters and numbers
-----END PRIVATE KEY-----

Note : Don't use the Windows's notepad because line returns of this file will not be recognized by this program.

Finally, convert the private key from the ".pem" format to the ".pvk" format.

Batch

openssl rsa -in key.pem -outform PVK -pvk-strong -out key.pvk

OpenSSL will ask you, yet again, the password that protects the private key.

3. Exporting the ".cer" certificate from the ".pfx" certificate

To begin, convert the certificate from the ".pfx" format to the ".pem" format, by typing this :

Batch

openssl pkcs12 -in cert.pfx -nokeys -nodes -out cert.pem

OpenSSL will ask you for the password that protects the ".pfx" certificate.
If the password is correct, OpenSSL display "MAC verified OK".

Then, convert this certificate from the ".pem" format to the ".cer" format, by typing this :

Batch

openssl x509 -inform PEM -in cert.pem -outform DER -out cert.cer

4. Preview of obtained files

With these commands, you have your key in the ".pvk" format and your certificate in the ".cer" format (DER encoded).