How to get the certificate part only and the private key part only respectively from PEM file in the command way?

Question

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM, by, for instance:

openssl pkcs12 -in cert_and_pvt_key.pfx -out cert_and_pvt_key.pem

then I have a PEM file with both certificate and private key, now, I want to get certificate file and private key file respectively, yes, I know cert_and_pvt_key.pem is in text format, we can copy the key part and cert part as we like, but, this is not elegant, I want something sophisticated, like openssl pkcs12, is there anything available?

Answer 1

You can use the -nocerts and -nokeys option to openssl pkcs12 to only output the part you need. Run openssl pkcs12 with each in turn:

openssl pkcs12 -in cert_and_pvt_key.pfx -nokeys -out cert.pem

then:

openssl pkcs12 -in cert_and_pvt_key.pfx -nocerts -out pvt_key.pem

If you haven't got access to the original PKCS#12 file, then it becomes a little more difficult. The following should work:

openssl pkcs12 -export -in cert_and_pvt_key.pem | openssl pkcs12 -nokeys -out cert.pem

and:

openssl pkcs12 -export -in cert_and_pvt_key.pem | openssl pkcs12 -nocerts -out pvt_key.pem

However, this asks for a pass-phrase when the the PKCS#12 is created and again when it attempts to split the file to certificate and keys. OpenSSL provides the -nodes verb to disable this pass-phrase, but it doesn't seem to work with -export. Therefore, it would fail in a script.

Otherwise, you're left with splitting the file with awk or similar. There are plenty of examples on this site.