How to extract the certificate and key from a PFX file#
First, use the command below to extract only the key from the .pfx file:
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]
After executing the command, you will be prompted for the password used to generate the .pfx file. You will need to enter it three times.
Once the key has been extracted and saved to a file, we can now extract the certificate from the .pfx file using the following command:
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]
After execution, you will be prompted again for the password used during the creation of the .pfx file.
Now, with the .key and .crt files in hand, let’s decrypt the .key file using the following command:
openssl rsa -in [drlive.key] -out [drlive-decrypted.key]
As in the previous steps, the password will be requested.
After this process, you will have the following files: file.key, file.crt, and file-decrypted.key.
How to create a PFX file from a certificate#
With all the necessary components ready, we can now generate a .pfx file.
First, concatenate all your .crt files into a single file, since the creation of a .pfx file only accepts one certificate. Use the following command:
cat <hostname_certificate>.crt <arquivo CA>.crt <arquivo USER>.crt <arquivo AAA>.crt >> arquivo-full.crt
After concatenating all the certificates into one file, we can proceed to create the .pfx file.
To generate it, use the following OpenSSL command:
openssl pkcs12 -export -out <name_do_arquivo>.pfx -inkey <arquivo-decrypted>.key -in <arquivo-full>.crt
During the execution of the command, you will be prompted to set a password. Then, you will be asked to confirm it — simply enter the same password again.
Reference: https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file.