How To Generate Private Key From SSL Certificate?

How To Generate Private Key From SSL Certificate? – Before We Get Into The Topic, let’s Learn Some Basic Of This Topic

How do I locate the private key to my SSL certificate?

This article will help you find the private key to your SSL certificate if you have just received it.

What is a private key?

Let’s start with the basics. To design a global public key infrastructure that allows secure communication through SSL/TLS, there must be a pair of unique keys.

Public key vs. private key

The SSL certificate embeds the public key. The private key is kept secret on the server. Site visitors fill out forms with personal information. The information is encrypted using the public key to prevent eavesdropping. This information is encrypted on the server and then passed to the third party for further processing. We must use a unique pair of keys that cannot be altered to decrypt the message transmitted. In a nutshell, a key without the other is useless.

How can you create a private key?

The private key is created simultaneously with theCSR(certificate sign request) containing the domain name, public keys, and additional contact information. After the certificate has been issued, the CSR must be sent to the certificate authority to validate and sign it. activation of the Namecheap user panel. The private key must remain secret and should be stored on the same server where the certificate will be installed.

How can I create a new private code for my SSL certificate?

A public key containing additional information, such as domain name and contact information, must be signed by a trusted authority to make it valid and applicable for secure communication with your server. It would not make sense to create a new private key for a previously validated public key. We must also ensure that no one can create a matching public key based on a public key. Modern cryptosystems make it almost impossible to accomplish such a task.

What is a private key?

A private key is an encrypted piece of data. It usually consists of a few dozen lines with randomly-looking symbols.

However, the code will not be visible to you while creating the CSR. The code is silently saved to the server’s filesystem in the background. And obviously, during the SSL certificate installation, the key should be fetched to the certificate automatically. Some systems don’t have this behavior, or we may need to install the certificate from another server. These are examples of situations where we need to know exactly the location of the private keys.

How do I retrieve a lost private key?

It all depends on the server operating system used and whether CLI (command-line interface) or a control panel for web-hosting of a specific type were used to generate CSRs. Here’s the important part.

Here are some tips, examples, and bits of advice you might find useful to help you solve the missing puzzle and avoid certificate renewal (i.e. repeating the activation and validation process from scratch).

How do I retrieve a private key on different server platforms?

Linux operating systems (Apache, Nginx, Lighttpd, Heroku)

Private keys for Linux-based operating systems (Ubuntu and Debian, CentOS, RedHat, etc.) were traditionally stored in files with the. key or. pem extension. is an OpenSSL-generated key with the crypto toolkit. These keys are saved in files with the extension.key/.pem. The private key code is not required for simple text files on Linux systems. However, it can be placed in any file with almost any name.

You can use the “find” command to locate the key file if you can remember its full name or part.

sudo find [search_start_folder] -type f -iname ‘private.key’

– [search_start_folder] parameter indicates the directory to start the search from and through all directories inside it, for example, to search from “root”, the / sign should be specified;
To search for files with partial names, an asterisk (*), should be used. For example, “*.key” will allow you to locate all files with a name ending in “.key”.

HINT Often, the key file name is identical to the domain name for which the certificate was issued, e.g. “”, or “example_com. the key”, etc.

You can also search within the files using certain patterns to find the location of your private key file.

Windows operating system (IIS/Exchange, Small Business Server)

Windows systems don’t allow you to retrieve the private key in plaintext. If an SSL certificate is imported via MMC or IIS the matching private key will be bound to it automatically. This is true even if the certificate is being imported on the same machine that the key was created. If we need the private key to install a certificate on another server, the option is to export it in a password-protected file (PFX) or PKCS12 format. You will need to open MMC Certificates snap-in in the following manner:

Win+R > Microsoft mmc.exe

Navigate to Certificate Enrollment requests > Certificates (if you have not completed the request) or Personal > Certs (if it was completed). Right-click on the entry to export the wizard. More details on the export process can be found here.

You will then receive an a.pfx file with the key. To get the key in plain text, you can convert the .pfx into PEM encoded files using the tool (PKCS#12 to PEM option).

Mac OS X

Accessing the generated private keys through the graphic interface is not possible with the default Keychain tool in the Server app. Using the Terminal command-line tools, you can navigate to “/etc/certificates”, and open the key file. It should be named something like “.key.pem”.

Tomcat (using Keytool)

The private key for Tomcat’s SSL connector is not configured in APR mode. Instead, it is stored in a password-protected Java Keystore file (.jks) or. Keystore that was created before the CSR. The keystone must first be converted to. pfx/.p12 file (PKCS#12). The following command can be used to do this:

“Keystore. jks”, should be replaced by the name and Keystore name, which contains the required key. “Keystore.p12”, – the name and Keystore.p12 files into which the Keystore will be converted; these values refer to the alias and Keystore password, as well as the key password values that were specified during Keystore generation. These values are necessary to ensure the integrity of the new. pfx./p12 format. However, it is possible to use one password for both parameters.

When the .pfx/.p12 file is created, it can be converted into PEM formatted files either with the help of this tool (PKCS#12 to PEM option) or using OpenSSL. OpenSSL commands would be:

OpenSSL pkcs12

– “Private. key” refers to the file where the private key text will reside.


There are two ways to access the Private key in cPanel

    1. Use SSL/TLS ManagerClick on the cPanel homepage and click on “SSL/TLS Manager” then click on the “Private key” button. The new screen will display the list of private keys that have been created in any particular cPanel accounts. The screen will be opened by clicking on the “View & Edit” button. It will present the key in both decoded and encoded forms.
    1. Using File managerFrom the cPanel homepage screen, click on the File manager button and open the window as shown in the screenshot below. Next, locate the “SSL” folder and click on the key directory. In the right-side navigation panel, you will see your private keys. You can then download the key file or open it in plain text.


The private keys of WHM are saved in the “SSL storage manager” along with the CSRs and certificates. You can access it by clicking “SSL/TLS”, on the home screen, and then “SSL Storage Manager”. Click on the magnifier button located in the first column, “Key” to open the private key text.


You should now see the page Domains > SSL/TLS certificates after you navigate to Domains > The message “Private Key Part Supplied” is a key sign that indicates the existence of the required key in the system. Click on the name of the entry to open it in plain text. Scroll down until you see the key code. You can also click the green arrow sign to the right to download the. pem file that contains the key, CSR, and certificate, along with the CA bundle if imported. You can open the. pem file with any text editor such as Notepad.

Synology NAS DSM

The private key for Synology DSM is saved in the file at the end of the CSR generation wizard. The server. a key file within archive contains the private key. It can be opened locally with a text editor on a computer:


Webmin was developed as a user interface for command-line tools. However, it also includes the File manager (Filemin), which can be used to browse the file system and find the key file. This key file was created when the CSR was generated by the OpenSSL command within Command Shell.

Another way to locate the private key in Webmin? Open “Command shell”, under the “Others”, section, and then run the “find” (or “grep”) command from the paragraph “Linux Operating Systems”.


VestaCP’s private key is not saved in the user interface. It is important to save key text into a local file during CSR generation.

It is possible to still find it using SSH. VestaCP creates new CSRs and stores the private key as a temporary file under the “/temp” directory. The absolute path to the key file might look like “/tmp/tmp.npAnkmWFcu/”, for example. This is because the files in “/tmp” get deleted after each server reboot


DirectAdmin panel’s most recent version stores the private key and pre-fetches it in the section “Paste a pre-generated certificate and key” in the SSL Certificates menu.

If you try to insert the certificate text into the auto-populated private keys text, but get an empty window when you do so, this could be a sign that the CSR code has been generated somewhere else or that the system has not added the private key to the window. The key can be retrieved via SSH in the latter case. It is normally saved in the following directory: /usr/local/DirectAdmin/data/users//domains/.key, where corresponds to your DirectAdmin username and – to the domain, the CSR has been generated for.


On the homepage, you will find the “SSL” section of Webuzo. The list of generated keys will be displayed by clicking on the button “Private keys”. The pencil button, located on the right side under the “Options” column, should be clicked to see key text.

In conclusion, if none of the above-mentioned tips were helpful and the original private key cannot be retrieved, it is necessary to generate the new CSR / private key pair and reissue the certificate, making sure that the private key is a safe time.