If you have a PFX file that contains a private key with a password, you can use OpenSSL to extract the private key without a password into a separate file, or create a new PFX file without a password.
For those running macOS or Linux, I've created a Bash script to automate the process, which you can download from GitHub. You set the PFX_PASSWORD and PFX_FILE_IN variables at the top of the file with your own values, and don't forget to make it executable by running chmod +x pfx-remove-password.sh
in Terminal.
For those running Windows, you can download OpenSSL for Windows binaries from SourceForge.
The manual instructions are below.
If you only want the private key file, you can skip steps 5 and 6.
If you want a PFX file with no password, you can delete TargetFile.Key when you're finished.
- MyPassword is your current password
- SourceFile.PFX is the PFX file you want to convert
- TargetFile.Key is the name of the private key file without a password that will be generated
- TargetFile.PFX is the name of the PFX file without a password that will be generated
1. Extract the certificate to a file named certificate.crt
openssl pkcs12 -clcerts -nokeys -in "SourceFile.PFX" -out certificate.crt -password pass:"MyPassword" -passin pass:"MyPassword"
2. Extract the certificate authority key to a file named ca-cert.ca
openssl pkcs12 -cacerts -nokeys -in "SourceFile.PFX" -out ca-cert.ca -password pass:"MyPassword" -passin pass:"MyPassword"
3. Extract the private key to a file named private.key
openssl pkcs12 -nocerts -in "SourceFile.PFX" -out private.key -password pass:"MyPassword" -passin pass:"MyPassword" -passout pass:TemporaryPassword
4. Remove the passphrase from the private key file
openssl rsa -in private.key -out "TargetFile.Key" -passin pass:TemporaryPassword
5. Create a new input file to generate a PFX file
On Linux/macOS:
cat private.key certificate.crt ca-cert.ca > pfx-in.pem
On Windows:
type private.key certificate.crt ca-cert.ca > pfx-in.pem
6. Generate a new PFX file called TargetFile.PFX
without a password
openssl pkcs12 -export -nodes -CAfile ca-cert.ca -in pfx-in.pem -passin pass:TemporaryPassword -passout pass:"" -out "TargetFile.PFX"
And that's it. For an input file named test-cert.pfx, you'll now have a private key file named test-cert.nopassword.key and a PFX file named test-cert.nopassword.pfx.
Reference: Serverfault