User Tools

Site Tools


howtos:convert_pkcs12_format_certificate_to_pem_format_certificate

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

howtos:convert_pkcs12_format_certificate_to_pem_format_certificate [d/m/Y H:i] (current)
Line 1: Line 1:
 +If you have a certificate which appears to be in binary format, then you probably have a PKCS12 formatted file. While the PKCS12 format is used by Java KeyStores and Windows XP "​Internet Options",​ most OpenSSL commands work on PEM formatted certificates and private keys. Fortunately,​ it is relatively easy to convert one format to the other. Here's a typical openssl command and resulting interactive session when converting PKCS12 format to PEM format:
 +
 +          > openssl pkcs12 -in cred.p12 -out certkey.pem -nodes -clcerts
 +          Enter Import Password:
 +          MAC verified OK
 +          >
 +
 +First, an explanation of the command line options:
 +          * -in - read in the PKCS12 formatted credential from the file cred.p12.
 +          * -out - write out both the PEM formatted certificate and private key to the file certkey.pem.
 +          * -nodes - an optional parameter NOT to encrypt the private key. If you cannot guarantee secure access to your private key, omit this command line option.
 +          * -clcerts - output only client (user) certificates.
 +
 +Next, some caveats of the interactive session:
 +          * You will notice that the command outputs both the certificate and private key to a single file. If you open the certkey.pem file with a text editor, you will see something like this:
 +
 +<​file>​
 +                -----BEGIN CERTIFICATE-----
 +                MIID1zCCA0CgAwIBAgIJAPznkOa+zeeLMA0GCSqGSIb3DQEBBQUAMIGkMQswCQYD
 +                VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxDzANBgNVBAcTBlVyYmFuYTENMAsG
 +                A1UEChMETkNTQTEjMCEGA1UECxMaU2VjdXJpdHkgUmVzZWFyY2ggRGl2aXNpb24x
 +                GjAYBgNVBAMTEXd3dy5uY3NhLnVpdWMuZWR1MSEwHwYJKoZIhvcNAQkBFhJyb290
 +                QG5jYXMudWl1Yy5lZHUwHhcNMDYwMzAxMTkzMDMxWhcNMDcwMzAxMTkzMDMxWjCB
 +                pDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMQ8wDQYDVQQHEwZVcmJh
 +                bmExDTALBgNVBAoTBE5DU0ExIzAhBgNVBAsTGlNlY3VyaXR5IFJlc2VhcmNoIERp
 +                dmlzaW9uMRowGAYDVQQDExF3d3cubmNzYS51aXVjLmVkdTEhMB8GCSqGSIb3DQEJ
 +                ARYScm9vdEBuY2FzLnVpdWMuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
 +                gQCy8/​9Afil4C+wvFdm2p7w6sQsZolXJQ1J07VDySCoguXCi6sCR/​AyJEr9E6jP3
 +                50FsgFoMn4d0qhkBb6JwczJtJRPphZIvXTi0rrOzZpe0yTF17NWcc5XXn9M8MbR2
 +                jS97pjJ2AyclvOgGN/​nYIdEpBfGKJ0cLQr50rBEAu+GScQIDAQABo4IBDTCCAQkw
 +                HQYDVR0OBBYEFA9U2p42HR64xIK3uK9TqsuBYkorMIHZBgNVHSMEgdEwgc6AFA9U
 +                2p42HR64xIK3uK9TqsuBYkoroYGqpIGnMIGkMQswCQYDVQQGEwJVUzERMA8GA1UE
 +                CBMISWxsaW5vaXMxDzANBgNVBAcTBlVyYmFuYTENMAsGA1UEChMETkNTQTEjMCEG
 +                A1UECxMaU2VjdXJpdHkgUmVzZWFyY2ggRGl2aXNpb24xGjAYBgNVBAMTEXd3dy5u
 +                Y3NhLnVpdWMuZWR1MSEwHwYJKoZIhvcNAQkBFhJyb290QG5jYXMudWl1Yy5lZHWC
 +                CQD855Dmvs3nizAMBgNVHRMEBTADAQH/​MA0GCSqGSIb3DQEBBQUAA4GBAAfq52g4
 +                oMVFtzp52pMZevxov9HyJNpuWHOP7y7WHmuYzigDy5vOqJgPki3w3hkdprIKKIb5
 +                7UPwfEZxrW4WwklWllcYV2/​00ytZ9tf5GreGhM+AGKOZzv+fDQBtzLr4T4TOjpQO
 +                HtceiR1JeNNVHL+Y53cXbP6qKh0TYn8xVQH3
 +                -----END CERTIFICATE-----
 +                Bag Attributes
 +                    localKeyID: 9B 8A 85 AF 89 9D EB B0 73 3A F8 F1 D3 F7 88 09 22 47 7C E3 
 +                Key Attributes: <No Attributes>​
 +                -----BEGIN RSA PRIVATE KEY-----
 +                MIICXAIBAAKBgQCy8/​9Afil4C+wvFdm2p7w6sQsZolXJQ1J07VDySCoguXCi6sCR
 +                /​AyJEr9E6jP350FsgFoMn4d0qhkBb6JwczJtJRPphZIvXTi0rrOzZpe0yTF17NWc
 +                c5XXn9M8MbR2jS97pjJ2AyclvOgGN/​nYIdEpBfGKJ0cLQr50rBEAu+GScQIDAQAB
 +                AoGATW7y9i8hNobCLiWgTT8LXcIZ8X+i6zGsTlgZ/​JxpTjuvl29I4GJV8kIgbWuC
 +                DTUNxCtNy8SD0mF/​7HUnrszJ9mKM52mrmKDLDNzvKY5J8Vl+u+7oNp7f8MViAIUK
 +                DvmUEG2RsA7boELYza6jrHRwEgB2Sk03ArW4M5jrS+/​xYKECQQDoCOg7u1HcIj0t
 +                eugQmQABfR86N81dE48bILNQlhDjbHlyedmMOmDBMqFEE2ayfb3EtHUoaZ81YHcE
 +                5aDDY8B1AkEAxW+Wy65LE2OnjIYjDSqHUrCpHxa6BrAS2OqYj0VSw1Fs5D4YHg/​J
 +                Ku41T5tOkeVsuwQcrGDhWR3+E4I2CTwKjQJARxjbl9nYxlvTZQkg7F0FLG+bTupk
 +                SZ3Bnq1RZGLm/​9hwCgyeBSKqHOiXk1VihVST/​h7ROzXJ68AIF/​8IWHZLNQJAfCns
 +                PJWU81GlqhMlcf8/​8TnWcg252cDbaX1Hijp/​jQPlJjkCs80bpxr9fd3e8JPG6Gny
 +                mlmm/​oOFKMGnt/​EBdQJBAJDVOMCPGolE06faCy6qpX6dYSVz1thc/​Prvlss9CQAC
 +                GjxDIISsFw71r2h7XdV70oFeJ/​r3uhXxbHRim9tFqsI=
 +                -----END RSA PRIVATE KEY-----
 +</​file>​
 +
 +While OpenSSL can handle both the certificate and the private key in a single file, it is often preferable to keep the two separate. There are two ways to make separate files for the certificate and the key.
 +
 +     ​-Using the certkey.pem file you generated above, simply save everything between (and including) each of the -----BEGIN----- and -----END----- lines to separate files, named something like cert.pem and key.pem for example.
 +     ​-Alternatively,​ you can rerun the command twice using the -nokeys and -nocerts command line options as follows:
 +
 +                      > openssl pkcs12 -in cred.p12 -out cert.pem -nodes -clcerts -nokeys
 +                      Enter Import Password:
 +                      MAC verified OK
 +                      > openssl pkcs12 -in cred.p12 -out key.pem -nodes -nocerts
 +                      Enter Import Password:
 +                      MAC verified OK
 +                      > 
 +
 +          * The "​Import Password"​ is the password that was used to generate the PKCS12 file.
 +          * If you omit the -nodes command line option, you will also be prompted to "Enter PEM pass phrase"​. This is a (possibly different) password utilized to encrypt the PEM formatted private key.
 +
  
howtos/convert_pkcs12_format_certificate_to_pem_format_certificate.txt · Last modified: d/m/Y H:i (external edit)