19

I'm trying to get a private RSA key from a pkcs #12 file.

I've tried running the standard

openssl pkcs12 -nocerts -out priv.pem -in domain.com.pfx

However this results in a key file like the one below:

Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00 
friendlyName: xxxxxxxx
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10
-----BEGIN ENCRYPTED PRIVATE KEY-----

The server that I need to put it into canot handle the key file, and when I look at the examples data I see a file like below

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2CF27DD60B8BB3FF

And of cause the key is present in both files. However it seems the server will only accept RSA Private key file, and it seems to me like the output I get is a X509v3 file, any one know how to get this to an RSA Private key file?

Dorana
  • 311
  • 1
  • 4
  • 12
  • 1
    try adding *-nodes* after *-nocerts* to create an unencrypted private key – guido Sep 14 '12 at 07:52
  • Thanks. Tried this as well, but i cannot remove the password from the output pemfile and this still leaves me with the X509v3 file – Dorana Sep 14 '12 at 07:58
  • @Dorana I wanted to create a certificate like yours, my pem file does not contain the first code section which has Microsoft library reference and x509v3, etc. What tool did you use? – Waqas Idrees Sep 01 '22 at 01:14

3 Answers3

32

Well - using a text editor to remove the offending lines may be easiest. Otherwise below will clean up the bag attributes:

openssl pkcs12 -in x.pfx  -nocerts -nodes -passin pass:123456 | openssl rsa -out privkey.pem

and can also be used to get der/net

openssl pkcs12 -in x-fred.p12  -nocerts -nodes -passin pass: | openssl rsa -outform DER -out privkey.der

which may be in fact the format you want. It is fairly common for tools to not accept a password less private key though (and a lot of tools will silently fail if the # of chars are not at least 4 or 6). So in those cases change the tailend to:

.... | openssl rsa -passout pass:123456 -out privkey.pem
.... | openssl rsa -passout pass:123456 -out privkey.der -outform der
Dirk-Willem van Gulik
  • 7,566
  • 2
  • 35
  • 40
1

On windows 7 64bit, you can simply use your command.But in mac and linux, you should do the following steps:

1, create your pem file:
openssl pkcs12 -in xxx.pfx -out xxx.pem

2, create your rsa private key :
openssl pkcs12 -in xxx.pfx -passin pass:yourpassword | openssl rsa -des3 -passout pass:yourpassowrd -out xxx.key

this step will create the key file with the conten:" -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2CF27DD60B8BB3FF"

3, open your .pem and .key file in a text editor, and replace the origin key" -----BEGIN ENCRYPTED PRIVATE KEY-----" in the .pem file with the rsa key in the .key file.

schumyxp
  • 112
  • 1
  • 9
1

This works for me:

openssl pkcs12 -in "$1" \
    -nocerts -nomacver \
    -passin file:<(cat "$pw") \
    -passout file:<(cat "$pw") |
sed -n '/^-----BEGIN ENCRYPTED PRIVATE KEY-----/,/^-----END ENCRYPTED PRIVATE KEY-----/p'
ceving
  • 21,900
  • 13
  • 104
  • 178