Use the password you specified earlier when exporting the pfx. What are the password flags to be used? openssl pkcs12 -in idp.pfx Enter Import Password: MAC verified OK Bag Attributes localKeyID: 01 00 00 00 Microsoft CSP Name: Microsoft Strong Cryptographic Provider friendlyName: PvkTmp:b143944f-c289-4e3c-b9cc-37ce1e8ada19 Key Attributes X509v3 Key Usage: 10 Enter Ctrl+C a couple of times to get back to the command prompt. openssl pkcs12 -info -in baeldung.keystore Enter Import Password: MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Bag Attributes friendlyName: trustme localKeyID: F4 36 4E 19 E4 E4 E7 65 74 56 FB 50 40 02 68 8B EC F0 4D B3 subject=C = IN, ST = DE, L = DC, O = BA, OU = AU, CN = baeldung.com … openssl pkcs12 -in example.pfx -nocerts -out example.key . Enter PEM pass phrase: Verifying - Enter PEM pass phrase: As shown here you will be asked for the password of the pfx file, later you will be asked to enter a PEM passphase lets for example use 123456 for everything here. I got an invalid password when I do the following:-bash-3.1$ openssl pkcs12 -in janet.p12 -nocerts -out userkey.pem -passin test123 openssl pkcs12 -export -out cert.p12 -inkey privkey.pem -in cert.pem -certfile cacert.pem (-certfile cacert.pem is only if there is an intermediate certificate) Enter pass phrase for privkey.pem: I'm using openssl pkcs12 to export the usercert and userkey PEM files out of pkcs12. Try to import into Windows certification store with the same password using certmgr.msc To convert the exported PKCS #12 file you need the OpenSSL utility, openssl.exe. Prerequisites. Once you have downloaded your PKCS#12 file you will be required to split the file into its relevant key and certificate file for use with Apache. Generate any PKCS#12 on examples page with a password. openssl pkcs12 -in /path/to/PKCS12.pfx -clcerts -nokeys -out publiccert.pem Notes: 1) The first command will request the password that was used to encrypt the PKCS#12 certificate. I don't want the openssl pkcs12 to prompt the user for the import and pem pass phrase. Get PEM key out of PKCS12 (password entered in step 1 may be needed) openssl pkcs12 -in keystore.p12 -out extracted.pem -nodes Enter Import Password: MAC verified OK Cut the private key and save to a key file: $ openssl pkcs12 -export -out cert.pfx -inkey cert.key.pem -in cert.pem Enter Export Password: Verifying - Enter Export Password: For both of those password lines with the OpenSSL command, I just pressed enter. SPLITTING YOUR PKCS#12 FILE USING OPENSSL. Enter Import Password: # Extract the private key openssl pkcs12 -in wild.pfx -nocerts -nodes -out priv.cer # Extract the public key openssl pkcs12 -in wild.pfx -clcerts -nokeys -out pub.cer # Extract the CA cert chain openssl pkcs12 -in wild.pfx -cacerts -nokeys -chain -out ca.cer It will then request and confirm a new password to encrypt the private key file, privatekey.pem. To do this open the Terminal and browse to the folder where you have saved the PKCS#12 … For more information about the openssl pkcs12 command, enter man pkcs12.. PKCS #12 file that contains one user certificate. Enter Import Password: MAC verified OK. Try to extract key using OpenSSL command with the same password openssl pkcs12 -in pkijs_pkcs12.p12 -nocerts -out key.pem -nodes the result is an error: Mac verify error: invalid password? The following examples show how to create a password protected PKCS #12 file that contains one or more certificates. The exported PKCS #12 file must be converted into separate root certificate, user certificate, and private key files.