An SSL certificate and private key can be stored in many formats. Sometimes, it may be necessary to convert from one format to another. One such case is where you have a private and public key (certificate) in PKCS12 (PFX-file) format, and need the individual certificate and private key in X509 format. You can use OpenSSL to perform the conversion.
A PFX-file generally contains both the private and public key (certificate) and is usually secured with a passphrase. If the PFX-file you want to convert is secured with a password, you will need this in order to perform the conversion. If you do not have the password, there's no way to reset this and the PFX-file will be unusable. When performing the conversion, you will be prompted to enter this passphrase ("import passphrase").
openssl pkcs12 -in <my-pfx.pfx> -clcerts -nokeys -out <my-cert.crt>
After entering the "import passphrase", the file will be created. As this is the public certificate, you will not be prompted for a passphrase to secure the exported file.
openssl pkcs12 -in <my-pfx.pfx> -nocerts -out <encrypted-key.key>
Enter the "import passphrase". If it is correct, you will be prompted to enter a passphrase for the exported private key. Enter a password of your choosing and continue. The file will be created.
If you want to have an unencrypted private key, you can decrypt the exported key:
openssl rsa -in <encrypted-key.key> -out <UNSECURE-key.key>
Note that you will have to take precautions to keep this unencrypted file secure!
Sometimes, you may require the private key in PEM format, rather than in X509 format:
openssl rsa -in <encrypted-key.key> -outform PEM -out <encrypted-key.pem>
As PEM-format is also secure, you will prompted to enter a passphrase to secure the exported file.