All the example I've seen don't clean the MS attributes.

OpenSSL 3.5.0 8 Apr 2025

Extract a clean private key (no MS Bag Attributes)

openssl pkcs12 -in your.pfx -nocerts -nodes | openssl rsa -out private.key

Extract the public certificate (no MS Bag Attributes)

openssl pkcs12 -in your.pfx -clcerts -nokeys | openssl x509 -out pub.crt

Extract public pem (no MS Bag Attributes)

openssl pkcs12 -in your.pfx -clcerts -nokeys | openssl x509 -out pub.pem

Extract the CA chain (if present) (no MS Bag Attributes)

openssl pkcs12 -in your.pfx -cacerts -nokeys | openssl x509 -out somechain.crt

Extract Public Key from clean private key

openssl rsa -in private.key -pubout -out public.key

If you ever need to password-protect the private key during export

openssl rsa -in private.key -aes256 -out private-secure.key

Check if the *.crt, *.pem, work with your *.key / visually match the output

openssl rsa -noout -modulus -in private.key

openssl x509 -noout -modulus -in pub.crt

openssl x509 -noout -modulus -in pub.pem