‹ Back

How to Export the Private Key from a PFX File (Windows & OpenSSL) for Replace vCenter Server Certificate with external CA certificate(requires private key)

 

 

###first, if you dont have Openssl on your machine, you can download it from here###

 

 

A PFX file (Personal Information Exchange) contains a certificate, intermediate certificates, and the corresponding private key. Sometimes, you may need to extract the private key for configuration in load balancers, web servers (like Apache or Nginx), or secure tunneling tools.

In this article, we’ll show you step-by-step methods to extract the private key from a .pfx file using Windows GUI (MMC) and OpenSSL CLI.

 

 

🧰 What You’ll Need

A valid .pfx file (e.g. cert_bundle.pfx)

The password for the .pfx file

OpenSSL installed (for CLI method)

Admin rights (for Windows GUI method)

 

 

 Using OpenSSL (Cross-Platform, Recommended)

This is the most flexible and widely-used method, especially for Linux, macOS, and server environments.

🔸– Export Private Key from .pfx (Protected) using OpenSSL

 

since you have a password-protected .pfx file and want to export the private key, the most reliable way is to use OpenSSL from PowerShell or CMD.

 

###openssl pkcs12 -in "C:\path\to\yourcert.pfx" -nocerts -out "C:\path\to\private-key-encrypted.pem"

 

This extracts the private key only. It will prompt for:

 

The .pfx password (to decrypt)

A new password to protect the exported .pem file

 

 

🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸–🔸

 

 

🔸– If You Need the Key Unencrypted (not recommended for production):

openssl pkcs12 -in "C:\path\to\yourcert.pfx" -nocerts -nodes -out "C:\path\to\private-key.pem"

-nodes = no encryption on the private key output

✅ Also Want to Export the Certificate?

###openssl pkcs12 -in "C:\path\to\yourcert.pfx" -clcerts -nokeys -out "C:\path\to\certificate.pem"

 

enjoy it and good luck!