Extract CRT and KEY Files from a PFX Certificate

Learn how to extract .crt and .key files from a .pfx certificate using OpenSSL.

A .pfx (PKCS#12) file contains your public certificate, private key, and intermediate certificates bundled together. This guide explains how to extract the certificate (.crt) and private key (.key) using a simple Bash script with OpenSSL.

Prerequisites

Before you begin:

A valid .pfx file provided by the customer.
The password for the .pfx file.
OpenSSL installed on your local machine.
(Optional) Rename the file for clarity using this format: domain.pfx — for example: medianova_com.pfx.

Create the Extraction Script

Create a new Bash script file named extract-cert.sh and copy the following commands:

#!/bin/bash
# Usage: ./extract-cert.sh <pfx-password>

# 1. Extract encrypted private key
openssl pkcs12 -in domain.pfx -nocerts -out encrypted-domain.key -passin pass:$1 -passout pass:$1

# 2. Decrypt the private key
openssl rsa -in encrypted-domain.key -out domain.key -passin pass:$1

# 3. Extract public certificate
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.crt -passin pass:$1

# 4. Verify that the certificate and key match
first=$(openssl x509 -in domain.crt -modulus -noout | openssl md5)
second=$(openssl rsa -in domain.key -modulus -noout | openssl md5)

if [[ "$first" == "$second" ]]; then
    echo "✅ Certificate and Key match."
else
    echo "❌ Mismatch between certificate and key."
fi

Save and close the file.

Replace domain.pfx with your actual filename (e.g., medianova_com.pfx).

Make the Script Executable

Run the following command to make the script executable:

chmod +x extract-cert.sh

Run the Script

Execute the script using your .pfx password as an argument:

./extract-cert.sh yourPFXpassword

Replace yourPFXpassword with the actual password for your .pfx file. The script automatically validates whether the .crt and .key match.

Files Generated

After running the script, three files will be generated:

File Name

Description

domain.crt

Public certificate.

domain.key

Unencrypted private key.

encrypted-domain.key

Encrypted private key (temporary, can be deleted).

Verify the Output

If extraction is successful, you’ll see one of the following messages in your terminal:

✅ Certificate and Key match.

If the certificate and private key do not match:

❌ Mismatch between certificate and key.

If you see a mismatch error, verify the .pfx file and password before re-running the script.

This procedure automates the extraction of certificate and key files from .pfx bundles. You can now use the generated .crt and .key files to upload your own SSL certificate in the Medianova Control Panel.

PreviousUpload and Manage SSL Certificates NextUse Free SSL Certificates

Last updated 3 months ago

Was this helpful?

hashtagPrerequisites

hashtagCreate the Extraction Script

hashtagMake the Script Executable

hashtagRun the Script

hashtagFiles Generated

hashtagVerify the Output