How to Export the Private Key from a PFX File (Windows & OpenSSL) for Replace vCenter Server Certificate with external CA certificate (requires private key)

###first, if you dont have Openssl on your machine, you can download it from here###

A PFX file (Personal Information Exchange) contains a certificate, intermediate certificates, and the corresponding private key. Sometimes, you may need to extract the private key for configuration in load balancers, web servers (like Apache or Nginx), or secure tunneling tools.

In this article, we’ll show you step-by-step methods to extract the private key from a .pfx file using Windows GUI (MMC) and OpenSSL CLI.

🧰 What You’ll Need

A valid .pfx file (e.g. cert_bundle.pfx)

The password for the .pfx file

OpenSSL installed (for CLI method)

Admin rights (for Windows GUI method)

 Using OpenSSL (Cross-Platform, Recommended)

This is the most flexible and widely-used method, especially for Linux, macOS, and server environments.

🔸– Export Private Key from .pfx (Protected) using OpenSSL

since you have a password-protected .pfx file and want to export the private key, the most reliable way is to use OpenSSL from PowerShell or CMD.

###openssl pkcs12 -in “C:\path\to\yourcert.pfx” -nocerts -out “C:\path\to\private-key-encrypted.pem”

This extracts the private key only. It will prompt for:

The .pfx password (to decrypt)

A new password to protect the exported .pem file

🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–

🔸– If You Need the Key Unencrypted (not recommended for production):

openssl pkcs12 -in “C:\path\to\yourcert.pfx” -nocerts -nodes -out “C:\path\to\private-key.pem”

-nodes = no encryption on the private key output

✅ Also Want to Export the Certificate?

###openssl pkcs12 -in “C:\path\to\yourcert.pfx” -clcerts -nokeys -out “C:\path\to\certificate.pem”

Wrapping Up with Key Insights

Exporting the private key from a PFX file is a crucial step when replacing a vCenter Server certificate with one issued by an external CA. On Windows, this can be done through the Certificate Manager by enabling the option to export the private key, while OpenSSL provides a flexible command-line approach for the same task. In both cases, it’s important to securely handle the private key, as it is required for successful certificate replacement and must be protected from unauthorized access. Proper preparation and validation ensure a smooth integration with vCenter Server and help maintain a secure and trusted environment.