How to Extract .key and .crt Files from PKCS12 (.p12) Certificate Using OpenSSL


1 views

PKCS12 (also known as PFX) files are common certificate containers that bundle both the certificate and private key in a single encrypted file. This format is widely used for secure certificate distribution.

You'll need OpenSSL installed on your system. Most Linux distributions have it pre-installed. For Windows, you can get it from Win32 OpenSSL or use WSL.

Run this command to extract the private key:


openssl pkcs12 -in certificate.p12 -nocerts -out private.key -nodes

You'll be prompted for:
1. The PKCS12 file password
2. A new passphrase for the output key (press Enter for no password)

To extract the certificate:


openssl pkcs12 -in certificate.p12 -nokeys -out certificate.crt

Enter the PKCS12 password when prompted.

Check your private key:


openssl rsa -in private.key -check

View your certificate:


openssl x509 -in certificate.crt -text -noout

You can extract both components at once:


openssl pkcs12 -in certificate.p12 -out private.key -nodes -nocerts
openssl pkcs12 -in certificate.p12 -out certificate.crt -nokeys

Problem: "unable to load private key" error
Solution: Try adding -legacy flag for older OpenSSL versions

Problem: Incorrect password
Solution: Double-check the PKCS12 password or try password-less extraction

The PKCS#12 format (usually with .p12 or .pfx extension) is a binary format for storing cryptographic objects like private keys, certificates, and chain certificates. It's commonly used for secure key distribution and is password-protected by default.

Before proceeding, ensure you have:

  • OpenSSL installed (comes pre-installed on most Unix systems)
  • The PKCS12 file you want to extract from
  • The password for the PKCS12 file

Here's the fundamental OpenSSL command to extract the private key:

openssl pkcs12 -in certificate.p12 -nocerts -out key.pem -nodes

To extract the certificate:

openssl pkcs12 -in certificate.p12 -clcerts -nokeys -out cert.pem

For a more comprehensive extraction that gives you both files in one go:

# Extract private key
openssl pkcs12 -in yourfile.p12 -nocerts -out private.key -nodes

# Extract certificate
openssl pkcs12 -in yourfile.p12 -clcerts -nokeys -out certificate.crt

# Optional: Extract CA certificates
openssl pkcs12 -in yourfile.p12 -cacerts -nokeys -out cacerts.crt

Let's walk through a concrete example with a sample PKCS12 file:

# First, let's create a test PKCS12 file (for demonstration)
openssl req -x509 -newkey rsa:2048 -keyout test.key -out test.crt -days 365 -nodes
openssl pkcs12 -export -out test.p12 -inkey test.key -in test.crt

# Now extract the components
openssl pkcs12 -in test.p12 -nocerts -out extracted.key -nodes
openssl pkcs12 -in test.p12 -clcerts -nokeys -out extracted.crt

For more control over the extraction process:

# Specify a different encryption algorithm for the output key
openssl pkcs12 -in certificate.p12 -nocerts -out key.pem -nodes -aes256

# Extract a specific certificate by friendly name
openssl pkcs12 -in certificate.p12 -clcerts -nokeys -out cert.pem -name "friendly_name"

# Convert the key to RSA format if needed
openssl rsa -in key.pem -out key.rsa

If you encounter problems:

  • "Unable to load private key" - Usually means wrong password
  • "No certificate matches" - The file might not contain certificates
  • "Expecting: ANY PRIVATE KEY" - The file might be corrupted

To verify your extracted files:

openssl rsa -in extracted.key -check
openssl x509 -in extracted.crt -text -noout

Remember that:

  • The extracted .key file contains sensitive private key material
  • Using -nodes means the key won't be encrypted in the output file
  • Always set proper file permissions (chmod 600 for key files)
  • Consider removing the -nodes flag for production use and protecting the key with a passphrase