extract private key and cert from pkcs12 (cert8.db/key3.db)

using fedora-ds/redhat-ds it creates cert8.db and key3.db to store the certs. I wanted to extract the private key as PEM so I could import it elsewhere.
[root@ldap] cd /etc/dirsrv/slapd-ldap [root@ldap] pk12util -o cert.p12 -n 'server-cert' -d . Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL [root@ldap] openssl pkcs12 -in cert.p12 -out cert.pem -nodes -clcerts Enter Import Password: MAC verified OK [root@ldap] cat cert.pem Bag Attributes friendlyName: server-cert localKeyID: 10 F4 C2 F6 01 3C 66 AA 72 35 C9 A7 DA B9 12 3F 11 A1 98 F6 Key Attributes: -----BEGIN PRIVATE KEY----- MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALA7rSWdSk4CVHef ... BnevX/uQwZ3L1Qo= -----END PRIVATE KEY----- Bag Attributes friendlyName: server-cert localKeyID: 10 DD CC EE BB 3C 33 AC 72 35 C9 A7 DA B9 12 3F 11 A1 98 F6 subject=/C=US/ST=Any State/L=Any Town/O=Example/CN=ldap.example.com issuer=/C=US/ST=Any State/L=Any Town/O=Example/CN=certmaster.example.com -----BEGIN CERTIFICATE----- ChMcSW5zdGl0dXRlIGZvciBBZHZhbmNlZCBTdHVkeTEeMBwGA1UECxMVU2Nob29s ... gIP23WbaOw4DygMwXfbJwF5K0xxv+NALlpoaZw== -----END CERTIFICATE-----
I couldn't figure out how to do it with pk12util and certutil alone, the key was using openssl after exporting with pk12util...

About the Author...

Slides from LISA 2019 Linux systems troubleshooting #LISA2019 https://t.co/D4dMKflK6R Tue Oct 29 05:59:30 +0000 2019

https://t.co/AGeihMALAv configuring grub2 with EFI Fri Sep 13 05:20:01 +0000 2019

I published a Thing on @thingiverse! https://t.co/IYpRyEb7Hz #thingalert Tue Jul 23 19:27:57 +0000 2019

Nokogiri install on MacOSX https://t.co/v3An0miW9L Fri Jul 12 15:06:49 +0000 2019

HTML email with plain mailer plugin on Jenkins https://t.co/Z6FSDMDjy8 Thu Jul 11 21:07:25 +0000 2019