Other
      Back to home
      1. Help Center
      2. How To
      3. Other

      How to Export Certs using OpenSSL

      This how-to will walk you through extracting information from a PKCS#12 file with OpenSSL. PKCS#12 (also known as PKCS12 or PFX) is a binary format for storing a certificate chain and private key in a single, encryptable file. PKCS#12 files are commonly used to import and export certificates and private keys on Windows and macOS computers, and usually have the filename extensions .p12 or .pfx.

      What is OpenSSL?
      OpenSSL is a very useful open-source command-line toolkit for working with X.509 certificates, certificate signing requests (CSRs), and cryptographic keys. If you are using a UNIX variant like Linux or macOS, OpenSSL is probably already installed on your computer. If you would like to use OpenSSL on Windows, you can enable Windows 10’s Linux subsystem or install Cygwin. You can also easily create a PKCS#12 file with openSSL.

      In all of the examples shown below, substitute the names of the files you are actually working with for 

      INFILE.p12, OUTFILE.crt, and OUTFILE.key.

      View PKCS#12 Information on Screen

      To dump all of the information in a PKCS#12 file to the screen in PEM format, use this command: openssl pkcs12 -info -in INFILE.p12 -nodes

      You will then be prompted for the PKCS#12 file’s password:

      Enter Import Password:

      Type the password entered when creating the PKCS#12 file and press 

      enter. OpenSSL will output any certificates and private keys in the file to the screen:
      Bag Attributes
      localKeyID: AC 3E 77 9A 99 62 84 3D 77 CB 44 0D F9 78 57 7C 08 28 05 97
      subject=/CN=Aaron Russell/emailAddress=*********@gmail.com
      issuer=/C=US/ST=Texas/L=Houston/O=SSL Corp/CN=SSL.com Client Certificate Intermediate CA RSA R1
      -----BEGIN CERTIFICATE-----
      MIIF1DCCA7ygAwIBAgIQcOrAJCMayJsZBKJsyz/aQDANBgkqhkiG9w0BAQsFADB+
      MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24x
      ETAPBgNVBAoMCFNTTCBDb3JwMTowOAYDVQQDDDFTU0wuY29tIENsaWVudCBDZXJ0
       ...
      bwK6ABAZUq6QcvhD0LYsXya+ncDCR6wxb9E0DWd4ATQMzxGTu/yE3kT+9Ef6IY+n
      armh3HZUfan2Hb64YD0tjLMca/PC+sKAZu28gB/3HQRHIFugvh6RO3bIoorl0jUg
      1Ml2r83++biS0HL6JdcwuuUF
      -----END PRIVATE KEY-----

      Encrypt Private Key

      If you would like to encrypt the private key and protect it with a password before output, simply omit the -nodes flag from the command:

      openssl pkcs12 -info -in INFILE.p12

      In this case, you will be prompted to enter and verify a new password after OpenSSL outputs any certificates, and the private key will be encrypted (note that the text of the key begins with 

      -----BEGIN ENCRYPTED PRIVATE KEY-----

      ):

      Enter PEM pass phrase:

      Verifying - Enter PEM pass phrase:
      -----BEGIN ENCRYPTED PRIVATE KEY-----
      MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIGwhJIMXRiLQCAggA
      MBQGCCqGSIb3DQMHBAiXdeymTYuedgSCBMjwGg78PsqiNJLfpDFbMxL98u3tK9Cs
       
      ...
       
      SGVCCBj5vBpSbBXAGbOv74h4satKmAMgGc8SgU06geS9gFgt/wLwehMJ/H4BSmex
      4S/2tYzZrDBJkfH9JpggubYRTgwfAGY2BkX03dK2sqfu+QVTVTKMj2VI0sKcFfLZ
      bdw=
      -----END ENCRYPTED PRIVATE KEY-----

      Extract Only Certificates or Private Key

      If you only want to output the private key, add -nocerts to the command:

      openssl pkcs12 -info -in aaron__russell.p12 -nodes -nocerts

      If you only need the certificates, use -nokeys

       (and since we aren’t concerned with the private key we can also safely omit -nodes):

      openssl pkcs12 -info -in INFILE.p12 -nokeys

      Save Certificates and Private Keys to Files

      You can export the certificates and private key from a PKCS#12 file and save them in PEM format to a new file by specifying an output filename:

      openssl pkcs12 -in INFILE.p12 -out OUTFILE.crt -nodes

      Again, you will be prompted for the PKCS#12 file’s password. As before, you can encrypt the private key by removing the -nodes flag from the command and/or add -nocerts or -nokeys to output only the private key or certificates. So, to generate a private key file, we can use this command:

      openssl pkcs12 -in INFILE.p12 -out OUTFILE.key -nodes -nocerts

      And to create a file including only the certificates, use this:

      openssl pkcs12 -in INFILE.p12 -out OUTFILE.crt -nokeys

      Convert Private Key to PKCS#1 Format

      The examples above all output the private key in OpenSSL’s default PKCS#8 format. If you know you need PKCS#1 instead, you can pipe the output of the OpenSSL’s PKCS#12 utility to its RSA or EC utility depending on the key type. Both of the commands below will output a key file in PKCS#1 format:

      RSA

      openssl pkcs12 -in INFILE.p12 -nodes -nocerts | openssl rsa -out OUTFILE.key

      EC

      openssl pkcs12 -in INFILE.p12 -nodes -nocerts | openssl ec -out OUTFILE.key

      Note: You can tell the difference between PKCS#8 and PKCS#1 private key files by looking at the first line of text. PKCS#1 files will specify the algorithm:

      -----BEGIN RSA PRIVATE KEY-----

       

      PKCS#8 files do not show the algorithm, and may also be encrypted:

      -----BEGIN PRIVATE KEY-----

      or
      -----BEGIN ENCRYPTED PRIVATE KEY-----