How to Extract CRT and KEY Files from a PFX Certificate
This guide explains how to extract .crt
(certificate) and .key
(private key) files from a .pfx
certificate bundle provided by the customer, using a Bash script with OpenSSL.
Prerequisites
The customer must provide a
.pfx
certificate file.Rename the file to match the following format:
domain.pfx
. (Example:medianova_com.pfx
)You must have OpenSSL installed on your machine.
You must know the password of the
.pfx
file.
Files Generated
domain.crt
Public certificate
domain.key
Unencrypted private key
encrypted-domain.key
Encrypted private key (temporary)
Script Usage
Save the following script as extract-cert.sh
:
#!/bin/bash
# Usage: ./extract-cert.sh <pfx-password>
openssl pkcs12 -in medianova_com.pfx -nocerts -out encrypted-domain.key -passin pass:$1 -passout pass:$1
openssl rsa -in encrypted-domain.key -out domain.key -passin pass:$1
openssl pkcs12 -in medianova_com.pfx -clcerts -nokeys -out domain.crt -passin pass:$1
first=$(openssl x509 -in domain.crt -modulus -noout | openssl md5)
second=$(openssl rsa -in domain.key -modulus -noout | openssl md5)
if [[ "$first" == "$second" ]]; then
echo "✅ Certificate and Key match."
else
echo "❌ Mismatch between certificate and key."
fi
Running the Script
chmod +x extract-cert.sh
./extract-cert.sh yourPFXpassword
Replace
yourPFXpassword
with the actual password provided for the.pfx
file.
Notes
The script ensures that the extracted certificate and key match by comparing their modulus values.
If you get a
FALSE
output, double-check the.pfx
file and password.
Output Example
✅ Certificate and Key match.
Or, if there's a problem:
❌ Mismatch between certificate and key.
Last updated
Was this helpful?