Somewhere in this world exists a Windows computer with certificates old and new using the Certificate Store for storage and using the MMC snap in for management. I make requests to certificate authorities from this box. But some of the computers are Linux and need some extra effort. I export to pfx PKCS#12 format on Windows. On Linux I use OpenSSL to extract the keys. Here are some commands:
openssl pkcs12 -in cert.pfx -nocerts -nodes -passin pass:notreallymypassword | openssl rsa -out cert.key
That gives us the RSA Private key that a service can read without requiring a password.
openssl pkcs12 -in cert.pfx -nokeys -nodes -passin pass:notreallymypassword -out cert.crt
That gives us the public certificate.
Both files have attributes that need to be removed. The only data should be between and including the BEGIN and END lines.
Sometimes you want these both in one file. In this case the public certificate should be first.
On a generic Debian Linux you have /etc/ssl/certs/ imapd.pem and ipop3d.pem, /etc/apache2/ssl/ apache.pem and /etc/mail/tls sendmail-client.crt, sendmail-common.key and sendmail-server.crt that need to be touched.