How to get your Certificate and Private Key file from a PFX file

The filename extensions for PKCS #12 are *.PFX or *.P12 and both are the most common bundles of  X.509  certificates (sometimes with the full chain of trust) and private key.

I always need to look at the man page of OpenSSL or review my bash history to use the right options to extract a certificate file and a key file from it.

For this reason, I’ve created a small bash script to complete this step for me.

I used this script mainly on Linux, but can be very useful even on Windows using WSL (with any distribution).  It is simply a matter of opening file explorer on the folder where the pfx is stored, copy the script and run it in place, so the files will be quickly generated there.

How it works and what it does?

This bash script requires OpenSSL and zip (both included in any standard Linux distribution). It will prompt the user to type the certificate (certificate + private key) file name with pfx  extension, prompt also to type your passphrase (if it was implemented to protect the private key) and finally it will generate individual files for:

  • certificate.pem (certificate with no private key)
  • key.pem (just private key protected with a password)
  • certificate.key (just private key without password)
  • (will all the files above including the pfx)


I don’t install SSL Certificates every single day, Let’s Encrypt and Certbot/Acme tools reduced a lot this activity for me in these recent years. But pfx is definitely the most common format I use when I purchase one, so whenever I need to configure for instance an Apache webserver this script it is quite handy. 

As usual, you can find this script on my GitHub repository.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.