OpenSSL logo

How to export a certificate and a private key from a .pfx using OpenSSL?

2 min read.

Alright, so let’s make this a quick one. I’ve had to google this multiple times, since I have to do this a couple of times per year, which is NOT often enough for me to remember it by heart, or even for my Terminal to remember the commands properly.

So, long story short – here’s how to export a PEM-formatted .cer -file and your private key (and optionally decrypt it as well!) from a .pfx -file containing both!


We’ll be using OpenSSL to manipulate the certificate files, so install it first.

Done? Let’s get to it!

Time needed: 10 minutes

How to export a certificate and a key from a .pfx -file?

  1. Download/export your .pfx

    It all starts with actually HAVING a .pfx file. The file needs to contain the certificate and the key.

    We’ll assume your certificate is called my.pfx for the remainder of the how-to.

    We’ll also assume your pfx-file’s password is empty. That’s how it is if you have exported it from an Azure App service using the UI anyway.

  2. Change to the directory where your .pfx is in

    Maybe this is obvious, but to make running the commands as easy as possible, change to the directory where your .pfx file is in. Let’s just assume it’s in the directory below:

    cd "C:\temp\cert-export\"

  3. Export your certificate

    Now we’ll export a PEM-encoded certificate with a .cer file extension. It’ll be base64-encoded text file that you can then investigate with openssl.

    openssl pkcs12 -in .\my.pfx -out my.cer -clcerts

  4. Export your encrypted private key

    Now we’ll export the key out of the .pfx – it’ll be encrypted at this point, so let’s call it my-encrypted.key:

    openssl pkcs12 -in .\my.pfx -nocerts -out my-encrypted.key

  5. (OPTIONAL) decrypt your private key

    The last step exported your private key in encrypted form. You might want to use it in a decrypted, cleartext form. AKS, for example, wants it in this form.

    openssl rsa -in .\my-encrypted.key -out my.key

And there we go! Hope I’ll remember to find the commands from here the next time I need them :)

5 1 vote
Article Rating
Notify of

Inline Feedbacks
View all comments