--- title: Convert PFX to CRT+KEY tags: linux, openssl --- # Convert a pfx certificate to crt and key files ### Extract private key ```bash openssl pkcs12 -in cert.pfx -nocerts -out cert-encrypted.key openssl rsa -in cert-encrypted.key -out cert.key ``` The second command removes the requirement to enter the password upon webserver start. Quite useful if you don't want your webserver get stuck with "Enter passphrase" during startup ### Extract public key ```bash openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.crt ``` ### Generate CA file ```bash openssl pkcs12 -in cert.pfx -nokeys -nodes -cacerts -out ca-bundle.crt ``` # Usage in httpd config ```bash <VirtualHost 192.168.0.1:443> ... SSLEngine on SSLCertificateFile /etc/pki/tls/certs/cert.crt SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt SSLCertificateKeyFile /etc/pki/tls/private/cert.key ... </VirtualHost> ```