pfxextract to extract unencrypted key and certs from a pfx certificate file. Copy somewhere in your path and chmod +x it.

pfxextract

#!/usr/bin/env bash

set -Eeuo pipefail

_usage() {
    cat <<__EOF
$0 usage:

    $0 [options]

Where [options] include:

    -h|--help           Show this help
    -i|--in PATH        Path to the PFX file to process.
    -p|--prefix PREFIX  Prefix for output files.

__EOF
}

_die() {
    echo "$*" >&2

    exit 1
}

INPFX=""
PREFIX=""

while [[ $# -ge 1 ]]; do
    key="$1"
    shift

    case $key in
        -h|--help)
            _usage
            exit 1
            ;;
        -i|--in)
            INPFX="$1"
            shift
            ;;
        -p|--prefix)
            PREFIX="$1"
            shift
            ;;
        *)
            _usage
            exit 1
            ;;
    esac
done

if [[ -z "$INPFX" ]]; then
    _die "PFX path is required."
fi

if [[ -z "$PREFIX" ]]; then
    _die "Prefix is required."
fi

echo ""
echo "Outputting files in $PWD"
echo ""

OUT_CRT="$PREFIX.crt"
OUT_CA="$PREFIX.ca"
OUT_SECRET="$PREFIX.secret"
OUT_KEY="$PREFIX.key"
OUT_PEM="$PREFIX.pem"

openssl pkcs12 -clcerts -nokeys -in "$INPFX" -out "$OUT_CRT"
openssl pkcs12 -cacerts -nokeys -in "$INPFX" -out "$OUT_CA"
openssl pkcs12 -nocerts -in "$INPFX" -out "$OUT_SECRET"
openssl rsa -in "$OUT_SECRET" >"$OUT_KEY"

cat "$OUT_CRT" "$OUT_CA" >"$OUT_PEM"

rm -f "$OUT_SECRET" "$OUT_CRT" "$OUT_CA"

echo "Certificate is $OUT_PEM and Key is $OUT_KEY"
echo ""