Convert a PKCS #12 file into certificate and key files
In cryptography, PKCS #12 is one of the family of standards called Public-Key
Cryptography Standards published by RSA Laboratories. It defines an archive file
format for storing many cryptography objects as a single file. It is commonly
used to bundle a private key with its X.509 certificate or to bundle all the
members of a chain of trust. A PKCS #12 file may be encrypted and signed. The
internal storage containers, called SafeBags, may also be encrypted and
signed. A few SafeBags are predefined to store certificates, private keys and
certificate revocation lists. The filename extension for PKCS #12 files is
.p12
or .pfx
. These files can be created, parsed and read out with the
OpenSSL pkcs12
command.
I'm going to show you the commands used to convert a .pfx
file into its
certificate and key components. This information can come in handy when you need
to import your certificates to devices like routers, load-balancers, handhelds,
or for use with webservers like apache or nginx, where you'll need to import the
certificates and key files in plain-text, unencrypted format. Follow these
steps:
- Install
openssl
-
Extract the private key:
openssl pkcs12 -in filename.pfx -nocerts -out encryptedkey.key
-
Enter the
.pfx
file password when prompted - Enter a new password for the encrypted key when prompted
-
Extract the client certificate:
openssl pkcs12 -in filename.pfx -nokeys -clcerts -out certificate.crt
-
Extract the Certificate Authority certificates:
openssl
-
Sometimes you will need an unencrypted key file:
openssl rsa -in encryptedkey.key -out decryptedkey.key
-
Enter the key password you created in step 4 above
- Sometimes the private key needs to be in a PEM format:
openssl rsa -in encryptedkey.key -outform PEM -out encryptedkey.pem
Always remember to keep your decrypted key in a safe place. Those are the literal keys to the kingdom.
Comments
Comments powered by Disqus