How to export a certificate and a private key from a .pfx using OpenSSL?

Time needed: 10 minutes

How to export a certificate and a key from a .pfx -file?

1. Download/export your .pfx

   It all starts with actually HAVING a .pfx file. The file needs to contain the certificate and the key.
   
   We’ll assume your certificate is called my.pfx for the remainder of the how-to.
   
   We’ll also assume your pfx-file’s password is empty. That’s how it is if you have exported it from an Azure App service using the UI anyway.

2. Change to the directory where your .pfx is in

   Maybe this is obvious, but to make running the commands as easy as possible, change to the directory where your .pfx file is in. Let’s just assume it’s in the directory below:
   
   cd "C:\temp\cert-export\"
3. Export your certificate

   Now we’ll export a PEM-encoded certificate with a .cer file extension. It’ll be base64-encoded text file that you can then investigate with openssl.
   
   openssl pkcs12 -in .\my.pfx -out my.cer -clcerts

4. Export your encrypted private key

   Now we’ll export the key out of the .pfx – it’ll be encrypted at this point, so let’s call it my-encrypted.key:
   
   openssl pkcs12 -in .\my.pfx -nocerts -out my-encrypted.key

5. (OPTIONAL) decrypt your private key

   The last step exported your private key in encrypted form. You might want to use it in a decrypted, cleartext form. AKS, for example, wants it in this form.
   
   openssl rsa -in .\my-encrypted.key -out my.key