How to Extract CRT and KEY Files from a PFX Certificate

This guide explains how to extract .crt (certificate) and .key (private key) files from a .pfx certificate bundle provided by the customer, using a Bash script with OpenSSL.

Prerequisites

The customer must provide a .pfx certificate file.
Rename the file to match the following format: domain.pfx. (Example: medianova_com.pfx)
You must have OpenSSL installed on your machine.
You must know the password of the .pfx file.

Files Generated

File Name

Description

domain.crt

Public certificate

domain.key

Unencrypted private key

encrypted-domain.key

Encrypted private key (temporary)

Script Usage

Save the following script as extract-cert.sh:

#!/bin/bash

# Usage: ./extract-cert.sh <pfx-password>

openssl pkcs12 -in medianova_com.pfx -nocerts -out encrypted-domain.key -passin pass:$1 -passout pass:$1
openssl rsa -in encrypted-domain.key -out domain.key -passin pass:$1

openssl pkcs12 -in medianova_com.pfx -clcerts -nokeys -out domain.crt -passin pass:$1

first=$(openssl x509 -in domain.crt -modulus -noout | openssl md5)
second=$(openssl rsa -in domain.key -modulus -noout | openssl md5)

if [[ "$first" == "$second" ]]; then
    echo "✅ Certificate and Key match."
else
    echo "❌ Mismatch between certificate and key."
fi

Running the Script

chmod +x extract-cert.sh
./extract-cert.sh yourPFXpassword

Replace yourPFXpassword with the actual password provided for the .pfx file.

Notes

The script ensures that the extracted certificate and key match by comparing their modulus values.
If you get a FALSE output, double-check the .pfx file and password.

Output Example

✅ Certificate and Key match.

Or, if there's a problem:

❌ Mismatch between certificate and key.

PreviousHow to upload and manage SSL Certificates?NextHow can I use Free SSL?

Last updated 2 months ago

Was this helpful?