Note: This article does not apply to SSL.com code signing and document signing certificates. The private keys of these types of certificates cannot be exported and they cannot be generated as .pfx files. SSL.com code signing and document signing certificates and their private keys can only be generated and stored in the eSigner cloud signing environment, a Yubikey device, or a supported Cloud HSM.
This how-to will walk you through extracting information from a PKCS#12 file with OpenSSL. PKCS#12 (also known as PKCS12 or PFX) is a binary format for storing a certificate chain and private key in a single, encryptable file. PKCS#12 files are commonly used to import and export certificates and private keys on Windows and macOS computers, and usually have the filename extensions .p12 or .pfx.
For more helpful how-tos and the latest cybersecurity news, sign up for SSL.com’s newsletter here:
What is OpenSSL?
OpenSSL is a very useful open-source command-line toolkit for working with X.509 certificates, certificate signing requests (CSRs), and cryptographic keys. If you are using a UNIX variant like Linux or macOS, OpenSSL is probably already installed on your computer. If you would like to use OpenSSL on Windows, you can enable Windows 10’s Linux subsystem or install Cygwin. You can also easily create a PKCS#12 file with openSSL.
SSL.com provides a wide variety of SSL/TLS server certificates for HTTPS websites.
COMPARE SSL/TLS CERTIFICATES
Video
https://www.youtube.com/watch?v=S_imVMFOdhU
Go to top
In all of the examples shown below, substitute the names of the files you are actually working with for INFILE.p12, OUTFILE.crt, and OUTFILE.key.
View PKCS#12 Information on Screen
To dump all of the information in a PKCS#12 file to the screen in PEM format, use this command:
openssl pkcs12 -info -in INFILE.p12 -nodes
You will then be prompted for the PKCS#12 file’s password:
Enter Import Password:
Type the password entered when creating the PKCS#12 file and press enter. OpenSSL will output any certificates and private keys in the file to the screen:
Bag Attributes localKeyID: AC 3E 77 9A 99 62 84 3D 77 CB 44 0D F9 78 57 7C 08 28 05 97 subject=/CN=Aaron Russell/emailAddress=*********@gmail.comissuer=/C=US/ST=Texas/L=Houston/O=SSL Corp/CN=SSL.com Client Certificate Intermediate CA RSA R1-----BEGIN CERTIFICATE-----MIIF1DCCA7ygAwIBAgIQcOrAJCMayJsZBKJsyz/aQDANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xETAPBgNVBAoMCFNTTCBDb3JwMTowOAYDVQQDDDFTU0wuY29tIENsaWVudCBDZXJ0...bwK6ABAZUq6QcvhD0LYsXya+ncDCR6wxb9E0DWd4ATQMzxGTu/yE3kT+9Ef6IY+narmh3HZUfan2Hb64YD0tjLMca/PC+sKAZu28gB/3HQRHIFugvh6RO3bIoorl0jUg1Ml2r83++biS0HL6JdcwuuUF-----END PRIVATE KEY-----
Encrypt Private Key
If you would like to encrypt the private key and protect it with a password before output, simply omit the -nodes flag from the command:
openssl pkcs12 -info -in INFILE.p12
In this case, you will be prompted to enter and verify a new password after OpenSSL outputs any certificates, and the private key will be encrypted (note that the text of the key begins with -----BEGIN ENCRYPTED PRIVATE KEY-----):
Enter PEM pass phrase:Verifying - Enter PEM pass phrase:-----BEGIN ENCRYPTED PRIVATE KEY-----MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIGwhJIMXRiLQCAggAMBQGCCqGSIb3DQMHBAiXdeymTYuedgSCBMjwGg78PsqiNJLfpDFbMxL98u3tK9Cs...SGVCCBj5vBpSbBXAGbOv74h4satKmAMgGc8SgU06geS9gFgt/wLwehMJ/H4BSmex4S/2tYzZrDBJkfH9JpggubYRTgwfa*gY2BkX03dK2sqfu+QVTVTKMj2VI0sKcFfLZbdw=-----END ENCRYPTED PRIVATE KEY-----
Extract Only Certificates or Private Key
If you only want to output the private key, add -nocerts to the command:
openssl pkcs12 -info -in INFILE.p12 -nodes -nocerts
If you only need the certificates, use -nokeys (and since we aren’t concerned with the private key we can also safely omit -nodes):
openssl pkcs12 -info -in INFILE.p12 -nokeys
Go to top
Save Certificates and Private Keys to Files
You can export the certificates and private key from a PKCS#12 file and save them in PEM format to a new file by specifying an output filename:
openssl pkcs12 -in INFILE.p12 -out OUTFILE.crt -nodes
Again, you will be prompted for the PKCS#12 file’s password. As before, you can encrypt the private key by removing the -nodes flag from the command and/or add -nocerts or -nokeys to output only the private key or certificates. So, to generate a private key file, we can use this command:
openssl pkcs12 -in INFILE.p12 -out OUTFILE.key -nodes -nocerts
And to create a file including only the certificates, use this:
openssl pkcs12 -in INFILE.p12 -out OUTFILE.crt -nokeys
Go to top
Convert Private Key to PKCS#1 Format
The examples above all output the private key in OpenSSL’s default PKCS#8 format. If you know you need PKCS#1 instead, you can pipe the output of the OpenSSL’s PKCS#12 utility to its RSA or EC utility depending on the key type. Both of the commands below will output a key file in PKCS#1 format:
RSA
openssl pkcs12 -in INFILE.p12 -nodes -nocerts | openssl rsa -out OUTFILE.key
ECDSA
openssl pkcs12 -in INFILE.p12 -nodes -nocerts | openssl ec -out OUTFILE.key
Note: You can tell the difference between PKCS#8 and PKCS#1 private key files by looking at the first line of text. PKCS#1 files will specify the algorithm:-----BEGIN RSA PRIVATE KEY-----
PKCS#8 files do not show the algorithm, and may also be encrypted:-----BEGIN PRIVATE KEY-----
or-----BEGIN ENCRYPTED PRIVATE KEY-----
Thank you for choosing SSL.com! If you have any questions, please contact us by email at [email protected], call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.
