User Tools

Site Tools


howtos:convert_pkcs12_format_certificate_to_pem_format_certificate

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

howtos:convert_pkcs12_format_certificate_to_pem_format_certificate [d/m/Y H:i]
howtos:convert_pkcs12_format_certificate_to_pem_format_certificate [d/m/Y H:i] (current)
Line 1: Line 1:
 +If you have a certificate which appears to be in binary format, then you probably have a PKCS12 formatted file. While the PKCS12 format is used by Java KeyStores and Windows XP "Internet Options", most OpenSSL commands work on PEM formatted certificates and private keys. Fortunately, it is relatively easy to convert one format to the other. Here's a typical openssl command and resulting interactive session when converting PKCS12 format to PEM format:
 +
 +          > openssl pkcs12 -in cred.p12 -out certkey.pem -nodes -clcerts
 +          Enter Import Password:
 +          MAC verified OK
 +          >
 +
 +First, an explanation of the command line options:
 +          * -in - read in the PKCS12 formatted credential from the file cred.p12.
 +          * -out - write out both the PEM formatted certificate and private key to the file certkey.pem.
 +          * -nodes - an optional parameter NOT to encrypt the private key. If you cannot guarantee secure access to your private key, omit this command line option.
 +          * -clcerts - output only client (user) certificates.
 +
 +Next, some caveats of the interactive session:
 +          * You will notice that the command outputs both the certificate and private key to a single file. If you open the certkey.pem file with a text editor, you will see something like this:
 +
 +<file>
 +                -----BEGIN CERTIFICATE-----
 +                MIID1zCCA0CgAwIBAgIJAPznkOa+zeeLMA0GCSqGSIb3DQEBBQUAMIGkMQswCQYD
 +                VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxDzANBgNVBAcTBlVyYmFuYTENMAsG
 +                A1UEChMETkNTQTEjMCEGA1UECxMaU2VjdXJpdHkgUmVzZWFyY2ggRGl2aXNpb24x
 +                GjAYBgNVBAMTEXd3dy5uY3NhLnVpdWMuZWR1MSEwHwYJKoZIhvcNAQkBFhJyb290
 +                QG5jYXMudWl1Yy5lZHUwHhcNMDYwMzAxMTkzMDMxWhcNMDcwMzAxMTkzMDMxWjCB
 +                pDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMQ8wDQYDVQQHEwZVcmJh
 +                bmExDTALBgNVBAoTBE5DU0ExIzAhBgNVBAsTGlNlY3VyaXR5IFJlc2VhcmNoIERp
 +                dmlzaW9uMRowGAYDVQQDExF3d3cubmNzYS51aXVjLmVkdTEhMB8GCSqGSIb3DQEJ
 +                ARYScm9vdEBuY2FzLnVpdWMuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
 +                gQCy8/9Afil4C+wvFdm2p7w6sQsZolXJQ1J07VDySCoguXCi6sCR/AyJEr9E6jP3
 +                50FsgFoMn4d0qhkBb6JwczJtJRPphZIvXTi0rrOzZpe0yTF17NWcc5XXn9M8MbR2
 +                jS97pjJ2AyclvOgGN/nYIdEpBfGKJ0cLQr50rBEAu+GScQIDAQABo4IBDTCCAQkw
 +                HQYDVR0OBBYEFA9U2p42HR64xIK3uK9TqsuBYkorMIHZBgNVHSMEgdEwgc6AFA9U
 +                2p42HR64xIK3uK9TqsuBYkoroYGqpIGnMIGkMQswCQYDVQQGEwJVUzERMA8GA1UE
 +                CBMISWxsaW5vaXMxDzANBgNVBAcTBlVyYmFuYTENMAsGA1UEChMETkNTQTEjMCEG
 +                A1UECxMaU2VjdXJpdHkgUmVzZWFyY2ggRGl2aXNpb24xGjAYBgNVBAMTEXd3dy5u
 +                Y3NhLnVpdWMuZWR1MSEwHwYJKoZIhvcNAQkBFhJyb290QG5jYXMudWl1Yy5lZHWC
 +                CQD855Dmvs3nizAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAAfq52g4
 +                oMVFtzp52pMZevxov9HyJNpuWHOP7y7WHmuYzigDy5vOqJgPki3w3hkdprIKKIb5
 +                7UPwfEZxrW4WwklWllcYV2/00ytZ9tf5GreGhM+AGKOZzv+fDQBtzLr4T4TOjpQO
 +                HtceiR1JeNNVHL+Y53cXbP6qKh0TYn8xVQH3
 +                -----END CERTIFICATE-----
 +                Bag Attributes
 +                    localKeyID: 9B 8A 85 AF 89 9D EB B0 73 3A F8 F1 D3 F7 88 09 22 47 7C E3 
 +                Key Attributes: <No Attributes>
 +                -----BEGIN RSA PRIVATE KEY-----
 +                MIICXAIBAAKBgQCy8/9Afil4C+wvFdm2p7w6sQsZolXJQ1J07VDySCoguXCi6sCR
 +                /AyJEr9E6jP350FsgFoMn4d0qhkBb6JwczJtJRPphZIvXTi0rrOzZpe0yTF17NWc
 +                c5XXn9M8MbR2jS97pjJ2AyclvOgGN/nYIdEpBfGKJ0cLQr50rBEAu+GScQIDAQAB
 +                AoGATW7y9i8hNobCLiWgTT8LXcIZ8X+i6zGsTlgZ/JxpTjuvl29I4GJV8kIgbWuC
 +                DTUNxCtNy8SD0mF/7HUnrszJ9mKM52mrmKDLDNzvKY5J8Vl+u+7oNp7f8MViAIUK
 +                DvmUEG2RsA7boELYza6jrHRwEgB2Sk03ArW4M5jrS+/xYKECQQDoCOg7u1HcIj0t
 +                eugQmQABfR86N81dE48bILNQlhDjbHlyedmMOmDBMqFEE2ayfb3EtHUoaZ81YHcE
 +                5aDDY8B1AkEAxW+Wy65LE2OnjIYjDSqHUrCpHxa6BrAS2OqYj0VSw1Fs5D4YHg/J
 +                Ku41T5tOkeVsuwQcrGDhWR3+E4I2CTwKjQJARxjbl9nYxlvTZQkg7F0FLG+bTupk
 +                SZ3Bnq1RZGLm/9hwCgyeBSKqHOiXk1VihVST/h7ROzXJ68AIF/8IWHZLNQJAfCns
 +                PJWU81GlqhMlcf8/8TnWcg252cDbaX1Hijp/jQPlJjkCs80bpxr9fd3e8JPG6Gny
 +                mlmm/oOFKMGnt/EBdQJBAJDVOMCPGolE06faCy6qpX6dYSVz1thc/Prvlss9CQAC
 +                GjxDIISsFw71r2h7XdV70oFeJ/r3uhXxbHRim9tFqsI=
 +                -----END RSA PRIVATE KEY-----
 +</file>
 +
 +While OpenSSL can handle both the certificate and the private key in a single file, it is often preferable to keep the two separate. There are two ways to make separate files for the certificate and the key.
 +
 +     -Using the certkey.pem file you generated above, simply save everything between (and including) each of the -----BEGIN----- and -----END----- lines to separate files, named something like cert.pem and key.pem for example.
 +     -Alternatively, you can rerun the command twice using the -nokeys and -nocerts command line options as follows:
 +
 +                      > openssl pkcs12 -in cred.p12 -out cert.pem -nodes -clcerts -nokeys
 +                      Enter Import Password:
 +                      MAC verified OK
 +                      > openssl pkcs12 -in cred.p12 -out key.pem -nodes -nocerts
 +                      Enter Import Password:
 +                      MAC verified OK
 +                      > 
 +
 +          * The "Import Password" is the password that was used to generate the PKCS12 file.
 +          * If you omit the -nodes command line option, you will also be prompted to "Enter PEM pass phrase". This is a (possibly different) password utilized to encrypt the PEM formatted private key.
 +
  
howtos/convert_pkcs12_format_certificate_to_pem_format_certificate.txt · Last modified: d/m/Y H:i (external edit)