This section provides a tutorial example on how to merge a private key and its self-signed certificate into a single PKCS#12 file, with can be then encoded as PEM and encrypted with DES.
PKCS#12 (Personal Information Exchange Syntax Standard) defines how a private key
and its related certificates should be stored in single file. In this section,
I want to try the following:
Use "openssl reg -new -x509" command to create a self-signed certificate with my private key.
Use "openssl pkcs12 -export" command to merge my private key and my certificate into a PKCS#12 file.
Use "openssl pkcs12" command to parse a PKCS#12 file into an encrypted PEM file.
My command session was recorded as blow:
>rem self-signed certificate in X509 format, PEM encoding
>openssl req -new -x509 -key openssl_key.pem -keyform pem
-out openssl_crt.pem -outform pem -config openssl.cnf
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CA]:
State or Province Name (full name) [HY State]:
Locality Name (eg, city) [HY City]:
Organization Name (eg, company) [HY Company]:
Organizational Unit Name (eg, section) [HY Unit]:
Common Name (eg, YOUR name) [Herong Yang]:
Email Address [herongyang.com]:
>rem key and certificate merged in PKCS#12 format
>openssl pkcs12 -export -inkey openssl_key.pem -in openssl_crt.pem
-out openssl_key_crt.p12 -name openssl_key_crt
Loading 'screen' into random state - done
Enter Export Password: p12pass
Verifying - Enter Export Password:
>rem encrypt the PKCS#12 file
>openssl pkcs12 -in openssl_key_crt.p12 -out openssl_key_crt_enc.pem
Enter Import Password: p12pass
MAC verified OK
Enter PEM pass phrase: keypass
Verifying - Enter PEM pass phrase: keypass
Notes on the commands and options I used:
"openssl req -new -x509" command generates a self-signed certificate based on the given private and public key pair.
"openssl pkcs12 -export" command merges the private and public key pair with its self-signed certificate into a PKCS#12 file.
"-inkey openssl_key.pem" option specifies the private and public key pair in PEM encoded file.
"-in openssl_crt.pem" option specifies the self-signed certificate in PEM encoded file.
"-out openssl_key_crt.p12" option specifies the output PKCS#12 file name.
"-name openssl_key_crt" option specifies a name for the key pair and the certificate in the PKCS#12 file.
"openssl pkcs12" command without "-export" option parses a PKCS#12 file as input.
The result is very nice. My private key and my self-signed certificate are stored in single files now: