De-compiling .pfx file

In the previous note we have taken insights how can we make a .pfx format file for our SSL work , Many vendors & certificate issuers provide the pfx format as their ssl for the purchased domain. So now we will take insights how to de-compile the pfx file & the the following files from it :

• CA Certificate (Root CA)

• Private Key (.key)

• CA-Chain (.bundle)

---

Reference Website :

https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file

Here we have obtained the pfx file from the domain provider and now we will extract the necessary files above mentioned using openssl

pfx file obtained from the SSL Provider

Now we will extract the files one by one , Extracting the private key first from the pfx file

~ Extracting the private key from the pfx file : 
# openssl pkcs12 -in wildcard_ghoulsec.pfx -nocerts -out private.key -nodes

We have extracted the private key now we will extract the ca certificate also known as the root ca certificate

~ Extracting the ca certificate from the pfx file :
# openssl pkcs12 -in wildcard_ghoulsec.pfx -clcerts -nokeys -out ca.crt

We have extracted the certificate of the domain and now we will extract the CA-chain file in which we can get the root ca file bundled which can later be used to sign the certificates.

~ Extracting the ca-chain certificate bundle from the pfx file :
# openssl pkcs12 -in wildcard_ghoulsec.pfx -cacerts -nokeys -out ca-chain.bundle

Now we have generated all the necessary files now we will verify that all the files extracted are integral to the main pfx package file.

Check the modulus of the private key:

~ Compare the output of the following commands : 
# openssl rsa -in private.key -noout -modulus
# openssl x509 -in ca.crt -noout -modulus

Check the output of the following command :

# openssl verify -CAfile ca-chain.bundle ca.crt
The output of the following command look like :

---