User Tools

Site Tools


howtos:convert_pkcs12_format_certificate_to_pem_format_certificate

If you have a certificate which appears to be in binary format, then you probably have a PKCS12 formatted file. While the PKCS12 format is used by Java KeyStores and Windows XP “Internet Options”, most OpenSSL commands work on PEM formatted certificates and private keys. Fortunately, it is relatively easy to convert one format to the other. Here's a typical openssl command and resulting interactive session when converting PKCS12 format to PEM format:

        > openssl pkcs12 -in cred.p12 -out certkey.pem -nodes -clcerts
        Enter Import Password:
        MAC verified OK
        >

First, an explanation of the command line options:

  • -in - read in the PKCS12 formatted credential from the file cred.p12.
  • -out - write out both the PEM formatted certificate and private key to the file certkey.pem.
  • -nodes - an optional parameter NOT to encrypt the private key. If you cannot guarantee secure access to your private key, omit this command line option.
  • -clcerts - output only client (user) certificates.

Next, some caveats of the interactive session:

  • You will notice that the command outputs both the certificate and private key to a single file. If you open the certkey.pem file with a text editor, you will see something like this:
                -----BEGIN CERTIFICATE-----
                MIID1zCCA0CgAwIBAgIJAPznkOa+zeeLMA0GCSqGSIb3DQEBBQUAMIGkMQswCQYD
                VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxDzANBgNVBAcTBlVyYmFuYTENMAsG
                A1UEChMETkNTQTEjMCEGA1UECxMaU2VjdXJpdHkgUmVzZWFyY2ggRGl2aXNpb24x
                GjAYBgNVBAMTEXd3dy5uY3NhLnVpdWMuZWR1MSEwHwYJKoZIhvcNAQkBFhJyb290
                QG5jYXMudWl1Yy5lZHUwHhcNMDYwMzAxMTkzMDMxWhcNMDcwMzAxMTkzMDMxWjCB
                pDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMQ8wDQYDVQQHEwZVcmJh
                bmExDTALBgNVBAoTBE5DU0ExIzAhBgNVBAsTGlNlY3VyaXR5IFJlc2VhcmNoIERp
                dmlzaW9uMRowGAYDVQQDExF3d3cubmNzYS51aXVjLmVkdTEhMB8GCSqGSIb3DQEJ
                ARYScm9vdEBuY2FzLnVpdWMuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
                gQCy8/9Afil4C+wvFdm2p7w6sQsZolXJQ1J07VDySCoguXCi6sCR/AyJEr9E6jP3
                50FsgFoMn4d0qhkBb6JwczJtJRPphZIvXTi0rrOzZpe0yTF17NWcc5XXn9M8MbR2
                jS97pjJ2AyclvOgGN/nYIdEpBfGKJ0cLQr50rBEAu+GScQIDAQABo4IBDTCCAQkw
                HQYDVR0OBBYEFA9U2p42HR64xIK3uK9TqsuBYkorMIHZBgNVHSMEgdEwgc6AFA9U
                2p42HR64xIK3uK9TqsuBYkoroYGqpIGnMIGkMQswCQYDVQQGEwJVUzERMA8GA1UE
                CBMISWxsaW5vaXMxDzANBgNVBAcTBlVyYmFuYTENMAsGA1UEChMETkNTQTEjMCEG
                A1UECxMaU2VjdXJpdHkgUmVzZWFyY2ggRGl2aXNpb24xGjAYBgNVBAMTEXd3dy5u
                Y3NhLnVpdWMuZWR1MSEwHwYJKoZIhvcNAQkBFhJyb290QG5jYXMudWl1Yy5lZHWC
                CQD855Dmvs3nizAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAAfq52g4
                oMVFtzp52pMZevxov9HyJNpuWHOP7y7WHmuYzigDy5vOqJgPki3w3hkdprIKKIb5
                7UPwfEZxrW4WwklWllcYV2/00ytZ9tf5GreGhM+AGKOZzv+fDQBtzLr4T4TOjpQO
                HtceiR1JeNNVHL+Y53cXbP6qKh0TYn8xVQH3
                -----END CERTIFICATE-----
                Bag Attributes
                    localKeyID: 9B 8A 85 AF 89 9D EB B0 73 3A F8 F1 D3 F7 88 09 22 47 7C E3 
                Key Attributes: <No Attributes>
                -----BEGIN RSA PRIVATE KEY-----
                MIICXAIBAAKBgQCy8/9Afil4C+wvFdm2p7w6sQsZolXJQ1J07VDySCoguXCi6sCR
                /AyJEr9E6jP350FsgFoMn4d0qhkBb6JwczJtJRPphZIvXTi0rrOzZpe0yTF17NWc
                c5XXn9M8MbR2jS97pjJ2AyclvOgGN/nYIdEpBfGKJ0cLQr50rBEAu+GScQIDAQAB
                AoGATW7y9i8hNobCLiWgTT8LXcIZ8X+i6zGsTlgZ/JxpTjuvl29I4GJV8kIgbWuC
                DTUNxCtNy8SD0mF/7HUnrszJ9mKM52mrmKDLDNzvKY5J8Vl+u+7oNp7f8MViAIUK
                DvmUEG2RsA7boELYza6jrHRwEgB2Sk03ArW4M5jrS+/xYKECQQDoCOg7u1HcIj0t
                eugQmQABfR86N81dE48bILNQlhDjbHlyedmMOmDBMqFEE2ayfb3EtHUoaZ81YHcE
                5aDDY8B1AkEAxW+Wy65LE2OnjIYjDSqHUrCpHxa6BrAS2OqYj0VSw1Fs5D4YHg/J
                Ku41T5tOkeVsuwQcrGDhWR3+E4I2CTwKjQJARxjbl9nYxlvTZQkg7F0FLG+bTupk
                SZ3Bnq1RZGLm/9hwCgyeBSKqHOiXk1VihVST/h7ROzXJ68AIF/8IWHZLNQJAfCns
                PJWU81GlqhMlcf8/8TnWcg252cDbaX1Hijp/jQPlJjkCs80bpxr9fd3e8JPG6Gny
                mlmm/oOFKMGnt/EBdQJBAJDVOMCPGolE06faCy6qpX6dYSVz1thc/Prvlss9CQAC
                GjxDIISsFw71r2h7XdV70oFeJ/r3uhXxbHRim9tFqsI=
                -----END RSA PRIVATE KEY-----

While OpenSSL can handle both the certificate and the private key in a single file, it is often preferable to keep the two separate. There are two ways to make separate files for the certificate and the key.

  1. Using the certkey.pem file you generated above, simply save everything between (and including) each of the —–BEGIN—– and —–END—– lines to separate files, named something like cert.pem and key.pem for example.
  2. Alternatively, you can rerun the command twice using the -nokeys and -nocerts command line options as follows:
                    > openssl pkcs12 -in cred.p12 -out cert.pem -nodes -clcerts -nokeys
                    Enter Import Password:
                    MAC verified OK
                    > openssl pkcs12 -in cred.p12 -out key.pem -nodes -nocerts
                    Enter Import Password:
                    MAC verified OK
                    > 
  • The “Import Password” is the password that was used to generate the PKCS12 file.
  • If you omit the -nodes command line option, you will also be prompted to “Enter PEM pass phrase”. This is a (possibly different) password utilized to encrypt the PEM formatted private key.
howtos/convert_pkcs12_format_certificate_to_pem_format_certificate.txt · Last modified: d/m/Y H:i by 127.0.0.1