Cryptography Tutorials - Herong's Tutorial Examples - Version 5.32, by Dr. Herong Yang
"openssl pkcs12" Merging Key with Certificate
This section provides a tutorial example on how to merge a private key and its self-signed certificate into a single PKCS#12 file, with can be then encoded as PEM and encrypted with DES.
PKCS#12 (Personal Information Exchange Syntax Standard) defines how a private key and its related certificates should be stored in single file. In this section, I want to try the following:
My command session was recorded as blow:
>rem self-signed certificate in X509 format, PEM encoding >openssl req -new -x509 -key openssl_key.pem -keyform pem -out openssl_crt.pem -outform pem -config openssl.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CA]: State or Province Name (full name) [HY State]: Locality Name (eg, city) [HY City]: Organization Name (eg, company) [HY Company]: Organizational Unit Name (eg, section) [HY Unit]: Common Name (eg, YOUR name) [Herong Yang]: Email Address [herongyang.com]: >rem key and certificate merged in PKCS#12 format >openssl pkcs12 -export -inkey openssl_key.pem -in openssl_crt.pem -out openssl_key_crt.p12 -name openssl_key_crt Loading 'screen' into random state - done Enter Export Password: p12pass Verifying - Enter Export Password: >rem encrypt the PKCS#12 file >openssl pkcs12 -in openssl_key_crt.p12 -out openssl_key_crt_enc.pem Enter Import Password: p12pass MAC verified OK Enter PEM pass phrase: keypass Verifying - Enter PEM pass phrase: keypass
Notes on the commands and options I used:
The result is very nice. My private key and my self-signed certificate are stored in single files now:
Want to see the file structure of openssl_key_crt_enc.pem? Here it is:
>type openssl_key_crt_enc.pem Bag Attributes localKeyID: B5 BA 41 DE E6 FE 22 70 D7 C8 C8 55 76 E6 AF 92 6B... subject=/C=CA/ST=HY State/L=HY City/O=HY Company/OU=HY Unit/CN=Her... issuer=/C=CA/ST=HY State/L=HY City/O=HY Company/OU=HY Unit/CN=Hero... -----BEGIN CERTIFICATE----- MIIDgzCCAuygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBjjELMAkGA1UEBhMCQ0Ex ... joy2xMaAryTrfoyUyqL10TusG3MeoXnHl4u4F5mLbQgr13CYHjdp -----END CERTIFICATE----- Bag Attributes localKeyID: B5 BA 41 DE E6 FE 22 70 D7 C8 C8 55 76 E6 AF 92 6B... Key Attributes: <No Attributes> -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,5845E016B16C7803 xo6pJ9madEbOB9SAQgIGC3GeZ7xDqHZJm6RkquOju23dSxzzetR2u/PPtnQ82hK0 ... 7DSeQRZg3a1TTwQXwYXCqHdc2qLzISH/C4ERqm7EqJ2PCsEe7GSfmA== -----END RSA PRIVATE KEY-----
openssl_key_crt_enc.pem looks like a concatenated file of the key PEM file and certificate PEM file.
Now I have the final PKCS#12 file with my private key and certificate. I can verify it with Java SE "keytool" command as described in the next section.
Last update: 2013.
Table of Contents