Customers sometimes have a need to export a certificate and private key from a Windows computer to separate certificate and key files for use elsewhere. Windows doesn't provide the means to complete this process.
Exporting Certificates from the Windows Certificate Store describes how to export a certificate and private key into a single .pfx file. Follow the procedure below to extract separate certificate and private key files from the .pfx file.
- Start the MMC snap-in certmgr.msc. You will be asked if you want operate on your Personal certificate store, the local machine Personal certificate store, or the store associated with a service account. In most cases you want the local machine store.
- In the left pane, navigate to the node that contains the certificate of interest.
- Right click on the certificate and select All Tasks > Export
- Follow the prompts in the Certificate Export Wizard. Note: you won't be able to export a private key if it wasn't marked as exportable when you originally created the CSR for the certificate.
- Take the file you exported (e.g. filename.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
- Run the following OpenSSL command to export the private key:
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
- Run the following OpenSSL command to export the certificate:
openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
- Run the following OpenSSL command to remove the passphrase from the private key:
openssl rsa -in key.pem -out server.key
Open SSL pkcs#12 Commands