Remove Private Key Password From PFX (PKCS12) File

Posted 01/26/2018 7:49 PM by Corey Klass

If you have a PFX file that contains a private key with a password, you can use OpenSSL to extract the private key without a password into a separate file, or create a new PFX file without a password.

For those running macOS or Linux, I've created a Bash script to automate the process, which you can download from GitHub. You set the PFX_PASSWORD and PFX_FILE_IN variables at the top of the file with your own values, and don't forget to make it executable by running chmod +x pfx-remove-password.sh in Terminal.

For those running Windows, you can download OpenSSL for Windows binaries from SourceForge.

The manual instructions are below.

If you only want the private key file, you can skip steps 5 and 6.

If you want a PFX file with no password, you can delete TargetFile.Key when you're finished.

  • MyPassword is your current password
  • SourceFile.PFX is the PFX file you want to convert
  • TargetFile.Key is the name of the private key file without a password that will be generated
  • TargetFile.PFX is the name of the PFX file without a password that will be generated

1. Extract the certificate:

openssl pkcs12 -clcerts -nokeys -in "SourceFile.PFX" -out certificate.crt -password pass:"MyPassword" -passin pass:"MyPassword"

2. Extract the certificate authority key:

openssl pkcs12 -cacerts -nokeys -in "SourceFile.PFX" -out ca-cert.ca -password pass:"MyPassword" -passin pass:"MyPassword"

3. Extract the private key:

openssl pkcs12 -nocerts -in "SourceFile.PFX" -out private.key -password pass:"MyPassword" -passin pass:"MyPassword" -passout pass:TemporaryPassword

4. Remove the passphrase from the private key file:

openssl rsa -in private.key -out "TargetFile.Key" -passin pass:TemporaryPassword

5. Create a new input file to generate a PFX file:

On Linux/macOS:
cat private.key certificate.crt ca-cert.ca > pfx-in.pem

On Windows:
type private.key certificate.crt ca-cert.ca > pfx-in.pem

6. Generate a new PFX file without a password:

openssl pkcs12 -export -nodes -CAfile ca-cert.ca -in pfx-in.pem -passin pass:TemporaryPassword -passout pass:"" -out "TargetFile.PFX"

And that's it. For an input file named test-cert.pfx, you'll now have a private key file named test-cert.nopassword.key and a PFX file named test-cert.nopassword.pfx.

Reference: Serverfault