How To Generate a PKCS#12 file

Erol Yapıcı
6 min readJan 6, 2024

--

This post focuses on generating PKCS#12 file for serving your content or utilizing it for authentication purposes.

PKCS #12, also known as “Personal Information Exchange Syntax Standard,” is a binary format used to store cryptographic objects such as private keys, certificates, and the certificate chains that go with them. PKCS #12 is usually connected with the file extensions “.p12” or “.pfx.”

A PKCS #12 file, also known as a PKCS #12 archive or PFX file, can include a private key and its corresponding X.509 certificate, as well as the whole certificate chain, including intermediate and root certificates. This format is commonly used for securely transferring and storing private keys and certificates, particularly in SSL/TLS certificates, client authentication, and code signing applications.

The PKCS #12 standard defines a structure that can contain the following:

  1. Private Key: The actual private key associated with the certificate.
  2. Certificate: The X.509 certificate that corresponds to the private key.
  3. Certificate Chain: The complete chain of certificates, starting from the end-entity certificate and going up to the root certificate. This includes intermediate certificates as well.
  4. Additional Certificates (Optional): Any additional certificates that may be part of the trust chain but not directly related to the private key and certificate.
  5. Password Protection: PKCS #12 files are often password-protected to ensure the confidentiality and integrity of the stored private key and certificate information.

A PKCS #12 file is useful when you need to securely convey a private key and its accompanying certificate. Common application scenarios include installing SSL/TLS certificates on web servers, providing client authentication certificates, and securely storing cryptographic data.

In OpenSSL, operations such as openssl pkcs12 are used to generate, alter, and retrieve information from PKCS #12 files. OpenSSL, for example, may export a private key and certificate into a PKCS #12 file or extract the contents of a PKCS #12 file into distinct components.

The PKCS#12 format shares similarities with the Java KeyStore (JKS) format; however, its versatility extends beyond the confines of Java, accommodating usage in diverse programming libraries such as C and C++. This attribute renders PKCS #12 a more generalized choice for a keystore, enabling cross-platform compatibility and utilization across a broader spectrum of programming environments.

In the generation of a new PKCS #12 certificate, three distinct methodologies are available:

  • Purchase a certificate issued by a known certificate authority (like VeriSign, Symantec, DigiCert, Thawart, etc).
  • Generate your own self-signed SSL certificate
  • Create a certificate using the Certificate Signing Request (CSR, a.k.a PKCS #10)

1. Purchase a certificate issued by a known certificate authority

One approach to obtaining a certificate involves the procurement of a certificate from a reputable Certificate Authority (CA) through a monetary transaction. This involves the subsequent amalgamation of the purchased public certificate with its corresponding private key. Alternatively, for those seeking a cost-free option, Let’s Encrypt provides a service that issues SSL/TLS certificates without charge. In such instances, the acquired public certificate from Let’s Encrypt is combined with its associated private key, resulting in the creation of a PKCS #12 file as a no-cost alternative for certificate generation.

openssl pkcs12 -export -out keyStore.p12 -inkey privateKey.pem -in certificate.crt

2. Create your own self-signed SSL certifiate

openssl req -x509 -newkey rsa:4096 -keyout privateKey.pem -out certificate.crt -days 3650 -nodes

Explanation of the parameters:

  • req: This specifies the OpenSSL utility for creating and processing certificate requests.
  • -x509: This option specifies that the output should be a self-signed certificate rather than a certificate request.
  • -newkey rsa:4096: This part of the command generates a new RSA private key with a key size of 4096 bits.
  • -keyout privateKey.pem: This specifies the file where the private key should be saved.
  • -out certificate.crt: This specifies the file where the self-signed certificate should be saved.
  • -days 3650: This sets the validity period of the certificate to 3650 days (approximately 10 years). Adjust this value as needed.
  • -nodes: This option specifies that the private key should not be encrypted with a passphrase. Including this option means that the private key will be in a non-encrypted form.

2.1 Combine a private key and a certificate into one key store in the PKCS #12 format

openssl pkcs12 -export -out keyStore.p12 -inkey privateKey.pem -in certificate.crt

Explanation of the parameters:

  • pkcs12: This specifies the OpenSSL utility for PKCS#12 file operations.
  • -export: This option instructs OpenSSL to export the private key and the certificate into a PKCS#12 file.
  • -out keyStore.p12: This specifies the file name for the PKCS12 file that will be created.
  • -inkey privateKey.pem: This specifies the input file containing the private key.
  • -in certificate.crt: This specifies the input file containing the certificate.

After running this command, you should have a keyStore.p12 file that contains both the private key and the certificate. You may be prompted to set a password for the PKCS12 file during the process. If you want to set a specific password, you can use the -passout pass:your_password option, replacing your_password with your chosen password:

3. Create a certificate using the Certificate Signing Request

3.1 Generate a private key and a certificate signing request into separated files

openssl req -new -newkey rsa:4096 -out request.csr -keyout myPrivateKey.pem -nodes

Explanation of the parameters:

  • req: This specifies the OpenSSL utility for creating and processing certificate requests.
  • -new: This option specifies that a new CSR is being generated.
  • -newkey rsa:4096: This part of the command generates a new RSA private key with a key size of 4096 bits.
  • -out request.csr: This specifies the file where the certificate request (CSR) should be saved.
  • -keyout myPrivateKey.pem: This specifies the file where the new private key should be saved.
  • -nodes: This option specifies that the private key should not be encrypted with a passphrase. Including this option means that the private key will be in a non-encrypted form.

Following the execution of this command, you should have a new RSA private key in myPrivateKey.pemand a certificate request in request.csr. This certificate request can then be forwarded to a certificate authority (CA) in order to get a signed certificate.

If you want to encrypt the private key with a passphrase, you can omit the -nodes option, and OpenSSL will prompt you to set a passphrase for the private key during the process. If you want to set a specific passphrase in a non-interactive way, you can use the -passout pass:your_password option:

openssl req -new -newkey rsa:4096 -out request.csr -keyout myPrivateKey.pem -passout pass:your_password

Replace your_password with your chosen passphrase. Keep in mind that handling passphrase-protected private keys securely is crucial for the security of your cryptographic materials.

3.2 Generate a certificate signing request from an existing private key

openssl req -new -key myPrivateKey.pem -out request.csr
  • req: This specifies the OpenSSL utility for creating and processing certificate requests.
  • -new: This option specifies that a new CSR is being generated.
  • -key myPrivateKey.pem: This specifies the existing private key file to be used in generating the CSR.
  • -out request.csr: This specifies the file where the certificate request (CSR) should be saved.

Following the execution of this command, you will have a new certificate request (request.csr) connected with the private key (myPrivateKey.pem). This CSR can then be sent to a certificate authority (CA) to get a signed certificate.

If the private key is password-protected, OpenSSL will request you to enter the passphrase. If you want to supply the pass without any interaction, use the -passin pass:your_password option, replacing your_password with the real pass:

openssl req -new -key myPrivateKey.pem -out request.csr -passin pass:your_password

Remember to handle passphrase-protected private keys securely and only share the passphrase with those who need it.

You are almost done. When you get a new certificate for your request.csr from your CA, use it together with a private key to create a PKCS#12 file:

3.3 Combine a private key and a certificate into one key store in the PKCS #12 format

openssl pkcs12 -export -out keyStore.p12 -inkey privateKey.pem -in certificate.crt -certfile CA.crt
  • pkcs12: This specifies the OpenSSL utility for PKCS#12 file operations.
  • -export: This option instructs OpenSSL to export the private key and the certificate into a PKCS#12 file.
  • -out keyStore.p12: This specifies the file name for the PKCS12 file that will be created.
  • -inkey privateKey.pem: This specifies the input file containing the private key.
  • -in certificate.crt: This specifies the input file containing the certificate.
  • -certfile CA.crt: This specifies additional CA certificates (Certificate Authority certificates) that should be included in the PKCS#12 file. This is useful when creating a PKCS#12 file for client authentication where the certificate chain needs to be included.

After running this command, you should have a keyStore.p12 file that contains both the private key and the certificate along with the CA certificates. You may be prompted to set a password for the PKCS#12 file during the process. If you want to set a specific password, you can use the -passout pass:your_password option:

openssl pkcs12 -export -out keyStore.p12 -inkey privateKey.pem -in certificate.crt -certfile CA.crt -passout pass:your_password

Remember to handle the PKCS#12 file and its password securely, as it may contain sensitive information.

Conclusion

The main point of the text is that a PKCS#12 file is a binary format used to store cryptographic objects such as private keys, certificates, and certificate chains. It is commonly used for securely transferring and storing private keys and certificates, particularly in SSL/TLS certificates, client authentication, and code signing applications. The text also provides instructions on how to create a PKCS#12 file using OpenSSL.

Related Links:

https://blog.pavelsklenar.com

https://en.wikipedia.org/wiki/PKCS_12

https://www.openssl.org/docs/

--

--

Erol Yapıcı
Erol Yapıcı

Written by Erol Yapıcı

Love Java, PHP, JavaScript, Python. Scrum Master, Team Lead

No responses yet