Tag: OpenSSL

Extracting a Private Key from a Certificate

Extracting a Private Key from a Certificate

Splitting a Certificate File

OpenSSLWe recently has an issue where I was required to upload a certificate to a F5 Big-IP. Now most of admins probably already figured out that some systems such as ADC’s or load balances require the certificate you upload to come in to parts. Part 1 is the certificate file itself so it will have an extension of .CER and part 2 is the private key with an extension of .KEY. Some certificate providers bundle the private key and certificate together, as useful as this, sometimes you have a requirement to separate the private key from the certificate file.

In order to split a certificate we will use OpenSSL for Windows, a free utility to manage and create certificates, if you don’t already have a copy of this utility, Click HERE to download it.

Assuming your utility is located in the root of the C Drive, and the certificate you want to split is also kept within in the same folder.


Open a administrative command prompt and navigate to the folder where you have stored the OpenSSL utility, then run the following command. You will be asked to provide the password for the certificate. This will extract the Private Key.

openssl pkcs12 -in certificates.pfx -nocerts -out privatekey.key


Next we will now extract the certificate, so run the below command:

openssl pkcs12 -in certificates.pfx -clcerts -nokeys -out certificate.cer


That’s it! You now have a private key and certificate which you can utilise. If you need to use OpenSSL on Windows, I’ve attached the program to this post. Just extract the files and using a command prompt navigate to the OpenSSL directory and call openssl.exe [then your commands]

Creating Self-Signed Certificates or Certificate Service Request with OpenSSL

Creating Self-Signed Certificates or Certificate Service Request with OpenSSL

Creating Certificates with OpenSSL


One of the most versatile SSL tools is OpenSSL which is an open source implementation of the SSL protocol. There are versions of OpenSSL for nearly every platform, including Windows, Linux, and Mac OS X. OpenSSL is commonly used to create the CSR and private key for many different platforms, including Apache. However, it also has hundreds of different functions that allow you to view the details of a CSR or certificate, compare an MD5 hash of the certificate and private key (to make sure they match), verify that a certificate is installed properly on any website, and convert the certificate to a different format. A compiled version of OpenSSL for Windows can be found attached below.

Place the unzipped folder on the C: drive. Then open a command prompt and type CD C:\openssl-1.0.2h-x64_86-win64


Generate a new private key and Certificate Signing Request

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key


Generate a self-signed certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt


Generate a certificate signing request (CSR) for an existing private key

openssl req -out CSR.csr -key privateKey.key -new


Generate a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key


Remove a passphrase from a private key

openssl rsa -in privateKey.pem -out newPrivateKey.pem


Check a Certificate Signing Request (CSR)

openssl req -text -noout -verify -in CSR.csr


Check a private key

openssl rsa -in privateKey.key -check


Check a certificate

openssl x509 -in certificate.crt -text -noout


Check a PKCS#12 file (.pfx or .p12)

openssl pkcs12 -info -in keyStore.p12