PKCS#12 files are commonly used to import and export certificates and private keys on Windows and macOS computers, and usually have the filename extensions .p12 or .pfx.
OpenSSL on Linux
If we are using Linux, we can install OpenSSL with the following YUM console command:
> yum install openssl
If our distribution is based on APT instead of YUM, we can use the following command instead:
> apt-get install openssl
Create a .pfx/.p12 file using OpenSSL pkcs12
- openssl pkcs12 -inkey privateKey.key -in certificate.crt -certfile more.crt -export -out certificate.pfx
Breaking down the command:
- openssl – the command for executing OpenSSL pkcs12
- pkcs12 – the file utility for PKCS#12 files in OpenSSL
- -export -out certificate.pfx – export and save the PFX file as certificate.pfx
- -inkey privateKey.key – use the private key file privateKey.key as the private key to combine with the certificate.
- -in certificate.crt – use certificate.crt as the certificate the private key will be combined with.
- -certfile more.crt – This is optional, this is if we have any additional certificates we would like to include in the PFX file.
- Our P12 file must contain the private key, the public certificate from the Certificate Authority, and all intermediate certificates used for signing.
- Our P12 file can contain a maximum of 10 intermediate certificates.
View PKCS#12 Information
To dump all of the information in a PKCS#12 file in PEM format, use this command:
- openssl pkcs12 -info -in certificate.p12 -nodes
- nodes: generates a new private key without using a passphrase (-nodes)
Encrypt Private Key with Openssl pkcs12
If we would like to encrypt the private key and protect it with a password before output, simply omit the -nodes flag from the command:
- openssl pkcs12 -info -in certificate.p12
Extract Only Certificates or Private Key with OpenSSL pkcs12
If we only want to output the private key, add -nocerts to the command:
- openssl pkcs12 -info -in certificate.p12 -nodes -nocerts
- openssl pkcs12 -in certificate.p12 -out privateKey.key -nodes -nocerts
And to create a file including only the certificates, use this:
- openssl pkcs12 -in certificate.p12 -out certificate.crt -nokeys