Extracting a Private Key from a Certificate

Extracting a Private Key from a Certificate

Splitting a Certificate File

OpenSSLWe recently has an issue where I was required to upload a certificate to a F5 Big-IP. Now most of admins probably already figured out that some systems such as ADC’s or load balances require the certificate you upload to come in to parts. Part 1 is the certificate file itself so it will have an extension of .CER and part 2 is the private key with an extension of .KEY. Some certificate providers bundle the private key and certificate together, as useful as this, sometimes you have a requirement to separate the private key from the certificate file.

In order to split a certificate we will use OpenSSL for Windows, a free utility to manage and create certificates, if you don’t already have a copy of this utility,. You can download below.

Assuming your utility is located in the root of the C Drive, and the certificate you want to split is also kept within in the same folder.

Open a administrative command prompt and navigate to the folder where you have stored the OpenSSL utility, then run the following command. You will be asked to provide the password for the certificate. This will extract the Private Key.

openssl pkcs12 -in certificates.pfx -nocerts -out privatekey.key

Next we will now extract the certificate, so run the below command:

openssl pkcs12 -in certificates.pfx -clcerts -nokeys -out certificate.cer

That’s it! You now have a private key and certificate which you can utilise. If you need to use OpenSSL on Windows, I’ve attached the program to this post. Just extract the files and using a command prompt navigate to the OpenSSL directory and call openssl.exe [then your commands]

To reverse this and merge a .cer file and a .key into a PFX use the below command

OpenSSL pkcs12 –export –in certfile.cer –inkey certfile.key –out certfile.pfx


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: