Most browsers, including Internet Explorer, require that client certificates (which includes proxy certificates) be in the PKCS12 format rather than the X509 PEM format. Additionally, Java KeyStores require certificates to be in PKCS12 format. To convert a PEM formatted certificate to PKCS12 format, you need both the certificate and the private key for that certificate. Here's a typical openssl command and the resulting interactive session when converting PEM format to PKCS12 format:
> openssl pkcs12 -export -in cert.pem -inkey key.pem -out cred.p12 Enter Export Password: Verifying - Enter Export Password: >
First, an explanation of the command line options:
- -export - generate a PKCS12 formatted file.
- -in cert.pem - read in the X509 PEM formatted certificate from the file cert.pem.
- -inkey key.pem - read in the X509 PEM formatted key from the file key.pem.
- -out cred.p12 - write out the PKCS12 formatted 'credential' to the file cred.p12.
Next, some caveats of the interactive session:
- PEM formatted certificates are fairly flexible. For example, both the certificate and the private key for that certificate can be contained in a single file. This is often the case with proxy certificates, which contain the proxy certificate, the proxy private key, and the user certificate (which was used to sign the proxy certificate). If you have a single file containing both the certificate and the key, you can specify the same filename for both the -in and -inkey command line options. OpenSSL will use the first certificate and first private key it finds in the file.
- If the private key is encrypted, you will be prompted to enter the pass phrase for that key before entering the export password.
- The export password does not have to be the same as the password you used for the PEM formatted private key. Whatever password you choose, you will need to enter that new password when importing the new PKCS12 credential into Windows XP.