How to Use OpenSSL to Create PKCS#12 Certificate Files

Summary

This document describes how to use OpenSSL to convert an x509 certificate and/or RSA key to a Public-Key Cryptography Standard #12 (PKCS#12) format.

Requirements

You must have a working installation of the OpenSSL software and be able to execute openssl from the command line. Refer to CTX106627 - How to Install the OpenSSL Toolkit for more information on obtaining and installing OpenSSL.

Background

The PKCS#12 specifies a portable format for storing and transporting certificates, private keys, and miscellaneous secrets. It is the preferred format for many certificate handling operations and is supported by most browsers and recent releases of the Windows family of operating systems. It has the advantage of being able to store the certificate and corresponding key, root certificate, and any other certificates in the chain in a single file.

Procedure

1. Ensure that the certificate(s) and key are in PEM format:

To convert a certificate from DER to PEM:
x509 –in input.crt –inform DER –out output.crt –outform PEM
To convert a key from DER to PEM:
rsa –in input.key –inform DER –out output.key –outform PEM
To convert a key from NET to PEM:
rsa –in input.key –inform NET –out output.key –outform PEM

Note: The obsolete NET (Netscape server) format is encrypted using an unsalted RC4 symmetric cipher so a passphrase will be requested. If you do not have access to this passphrase it is unlikely you will be able to recover the key.

Use the openssl command to read the PEM encoded certificate(s) and key and export to a single PKCS#12 file as follows:

openssl pkcs12 -export -in input.crt -inkey input.key -out bundle.p12

Note: By default the key will be encrypted with Triple DES so you will be prompted for an export password (which may be blank).

Note: The PEM formatted root certificate and any other certificates in the chain can be concatenated into a single file (for example, root.crt) and included in the PKCS#12 file as follows:

openssl pkcs12 -export -in input.crt -inkey input.key -certfile root.crt -out bundle.p12

More Information

For more information about OpenSSL, refer to the OpenSSL Web site.

Some PKCS#12 implementations require that a friendly name be specified using the name flag (for example, ‘-name “Friendly Name”’) which may be displayed on import.

There is an obsolete format called PFX which is incompatible and not to be confused with PKCS#12, even though Microsoft uses the ‘.PFX’ extension in addition to ‘.P12’ for PKCS#12 files.

Keys are sensitive information and should be stored carefully and encrypted using a strong passphrase and cipher. You can use the DES, Triple DES, IDEA, or 128, 192, or 256 bit AES symmetric ciphers by adding a des, des3, idea, aes128, aes192, or aes256 flag to the command line. By default, keys will be encrypted with Triple DES.

If you do not have access to the passphrase for an encrypted key it is unlikely you will be able to retrieve the key itself and will need to generate a new key and corresponding certificate(s).

Key sizes of up to 4096 bit are supported by ICA Clients on the Windows platform and 2048 bit on non windows platforms. See CTX750591 – Error: There was a problem reading a security certificate for more information.