The following examples show how to create a password protected PKCS #12 file that contains one or more certificates. openssl pkcs12 -info -in baeldung.keystore Enter Import Password: MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Bag Attributes friendlyName: trustme localKeyID: F4 36 4E 19 E4 E4 E7 65 74 56 FB 50 40 02 68 8B EC F0 4D B3 subject=C = IN, ST = DE, L = DC, O = BA, OU = AU, CN = … I don't want the openssl pkcs12 to prompt the user for the import and pem pass phrase. # Extract the private key openssl pkcs12 -in wild.pfx -nocerts -nodes -out priv.cer # Extract the public key openssl pkcs12 -in wild.pfx -clcerts -nokeys -out pub.cer # Extract the CA cert chain openssl pkcs12 -in wild.pfx -cacerts -nokeys -chain -out ca.cer openssl pkcs12 -in example.pfx -nocerts -out example.key . It will then request and confirm a new password to encrypt the private key file, privatekey.pem. $ openssl pkcs12 -export -out cert.pfx -inkey cert.key.pem -in cert.pem Enter Export Password: Verifying - Enter Export Password: For both of those password lines with the OpenSSL command, I just pressed enter. Try to import into Windows certification store with the same password using certmgr.msc Try to extract key using OpenSSL command with the same password openssl pkcs12 -in pkijs_pkcs12.p12 -nocerts -out key.pem -nodes the result is an error: Mac verify error: invalid password? I got an invalid password when I do the following:-bash-3.1$ openssl pkcs12 -in janet.p12 -nocerts -out userkey.pem -passin test123 Generate any PKCS#12 on examples page with a password. Enter Import Password: MAC verified OK. For more information about the openssl pkcs12 command, enter man pkcs12.. PKCS #12 file that contains one user certificate. Prerequisites. Use the password you specified earlier when exporting the pfx. openssl pkcs12 -export -out cert.p12 -inkey privkey.pem -in cert.pem -certfile cacert.pem (-certfile cacert.pem is only if there is an intermediate certificate) Enter pass phrase for privkey.pem: I'm using openssl pkcs12 to export the usercert and userkey PEM files out of pkcs12. Once you have downloaded your PKCS#12 file you will be required to split the file into its relevant key and certificate file for use with Apache. To do this open the Terminal and browse to the folder where you have saved the PKCS#12 … openssl pkcs12 -in idp.pfx Enter Import Password: MAC verified OK Bag Attributes localKeyID: 01 00 00 00 Microsoft CSP Name: Microsoft Strong Cryptographic Provider friendlyName: PvkTmp:b143944f-c289-4e3c-b9cc-37ce1e8ada19 Key Attributes X509v3 Key Usage: 10 Enter Ctrl+C a couple of times to get back to the command prompt. Get PEM key out of PKCS12 (password entered in step 1 may be needed) openssl pkcs12 -in keystore.p12 -out extracted.pem -nodes Enter Import Password: MAC verified OK Cut the private key and save to a key file: Enter Import Password: Enter PEM pass phrase: Verifying - Enter PEM pass phrase: As shown here you will be asked for the password of the pfx file, later you will be asked to enter a PEM passphase lets for example use 123456 for everything here. The exported PKCS #12 file must be converted into separate root certificate, user certificate, and private key files. openssl pkcs12 -in /path/to/PKCS12.pfx -clcerts -nokeys -out publiccert.pem Notes: 1) The first command will request the password that was used to encrypt the PKCS#12 certificate. What are the password flags to be used? SPLITTING YOUR PKCS#12 FILE USING OPENSSL. To convert the exported PKCS #12 file you need the OpenSSL utility, openssl.exe.