Skip to main content
banner image
venafi logo

Finding the Private Key for a TLS/SSL Certificate

Finding the Private Key for a TLS/SSL Certificate

TLS/SSL private key
August 19, 2022 | Alexa Hernandez

The private key is the most valuable aspect of your TLS/SSL certificate as it verifies your identity and allows you to encrypt and decrypt information. If it is compromised, cybercriminals can use the private key to intercept information — leading to data breaches, fines, and loss of investor and consumer confidence.


What is a private key?

TLS/SSL certificates require both a public key and private key to encrypt and decrypt data. The public key is embedded in the TLS/SSL certificate and is used to encrypt data from the sender. The private key is in a separate file that should be stored securely on your server and can be used for both encryption and decryption. A compromised private key means that anyone with the key can decrypt the sensitive information being transmitted.

Generating a private key

In order to generate a private key, you need to request a TLS/SSL certificate from a Certificate Authority (CA) through a certificate signing request (CSR). Once the request is granted, you will receive a certificate assigned with domain name, public key and additional contact information. The private key will be generated with your CSR as a key pair and should be saved on the server you generated it on. If you lose the private key, it will be impossible to install the certificate and you will need to reissue the certificate.

Locating my private key

If you have not installed the certificate yet, your private key will be saved on the server where you initiated the CSR and generated the key pair. If your certificate is already installed then follow the steps below depending on which system you are using.


Your certificate files are managed for you in a private hidden folder. Access the private key by exporting a “.pfx” file that contains the certificate and private key.

  • Open Microsoft Management Console
  • In the Console Root, expand Certificates (Local Computer)
  • Locate the certificate in the Personal or Web Server folder
  • Right click the certificate
  • Select Export
  • Follow the guided wizard

The private key will be referenced in the main Apache configuration file (httpd.conf or apache2. conf.). The SSLCertificatekeyFile will identify the path to where your private key is located.

If using OpenSSL on Apache, your private keys are saved to /user/local/ssl by default.


The location of the private key can be found in your site’s virtual host file. Navigate to the server block for that site (typically within /var/ww/directory), open the main configuration file, and search for the ssl_certificate_key directive. This will bring up the file bath for your private key.

Mac OS X

Use Terminal to navigate to the /etc/certificates folder and open the key file (usually called something similar to “.key.pem”).

If you are unable to find the key, the best thing to do is to reissue the certificate.

Compromised or misplaced private keys

If a private key is misplaced or compromised, there is a chance that it could get misused by a cybercriminal. To avoid this, contact the certificate authority (CA) to get the certificate revoked and reissued.

Managing TLS/SSL certificates

To ensure the security of your information, manage your certificates and private keys carefully. As the number of certificates in your organization increases, as will the number of private keys. Keeping a pulse on the location and security of every private key becomes an inefficient and unsecure process. Venafi’s Trust Protection Platform manages the process for you and ensures that keys and certificates are secure and discoverable.


Like this blog? We think you will love this.
what is an ssl certificate
Featured Blog

What is an X.509 Digital Certificate?

SSL/TLS certificates are X.509 certificates with Extended Key Usage: Server Authentication (1.3.6

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Alexa Hernandez
Alexa Hernandez

Alexa is the Web Marketing Specialist at Venafi.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more