# Extract CRT and KEY Files from a PFX Certificate A `.pfx` (PKCS#12) file contains your public certificate, private key, and intermediate certificates bundled together.\ This guide explains how to extract the **certificate (.crt)** and **private key (.key)** using a simple Bash script with **OpenSSL**. ### **Prerequisites** Before you begin: * A valid `.pfx` file provided by the customer. * The password for the `.pfx` file. * **OpenSSL** installed on your local machine. * (Optional) Rename the file for clarity using this format:\ \&#xNAN;**`domain.pfx`** — for example: `medianova_com.pfx`. {% stepper %} {% step %} #### **Create the Extraction Script** Create a new Bash script file named **extract-cert.sh** and copy the following commands: ```bash #!/bin/bash # Usage: ./extract-cert.sh # 1. Extract encrypted private key openssl pkcs12 -in domain.pfx -nocerts -out encrypted-domain.key -passin pass:$1 -passout pass:$1 # 2. Decrypt the private key openssl rsa -in encrypted-domain.key -out domain.key -passin pass:$1 # 3. Extract public certificate openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.crt -passin pass:$1 # 4. Verify that the certificate and key match first=$(openssl x509 -in domain.crt -modulus -noout | openssl md5) second=$(openssl rsa -in domain.key -modulus -noout | openssl md5) if [[ "$first" == "$second" ]]; then echo "✅ Certificate and Key match." else echo "❌ Mismatch between certificate and key." fi ``` Save and close the file. {% hint style="info" %} Replace `domain.pfx` with your actual filename (e.g., `medianova_com.pfx`). {% endhint %} {% endstep %} {% step %} #### **Make the Script Executable** Run the following command to make the script executable: ```bash chmod +x extract-cert.sh ``` {% endstep %} {% step %} #### **Run the Script** Execute the script using your `.pfx` password as an argument: ```bash ./extract-cert.sh yourPFXpassword ``` {% hint style="info" %} Replace `yourPFXpassword` with the actual password for your `.pfx` file.\ The script automatically validates whether the `.crt` and `.key` match. {% endhint %} {% endstep %} {% step %} #### Files Generated After running the script, three files will be generated: | File Name | Description | | ---------------------- | -------------------------------------------------- | | `domain.crt` | Public certificate. | | `domain.key` | Unencrypted private key. | | `encrypted-domain.key` | Encrypted private key (temporary, can be deleted). | | {% endstep %} | | {% step %} #### **Verify the Output** If extraction is successful, you’ll see one of the following messages in your terminal: ``` ✅ Certificate and Key match. ``` If the certificate and private key do not match: ``` ❌ Mismatch between certificate and key. ``` {% hint style="info" %} If you see a mismatch error, verify the `.pfx` file and password before re-running the script. {% endhint %} {% endstep %} {% endstepper %} This procedure automates the extraction of certificate and key files from `.pfx` bundles.\ You can now use the generated `.crt` and `.key` files to upload your own SSL certificate in the [**Medianova Control Panel**](https://cloud.medianova.com). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://clients.medianova.com/products/security/ssl-tls-encryption/extract-crt-and-key-files-from-a-pfx-certificate.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.