Cryptography Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.00

This site Web Google

Key Formats PKCS#8 and PKCS#12 and Migration

Part:   1  2  3  4 

(Continued from previous part...)

My command session was recorded as blow: 

>rem self-signed certificate in X509 format, PEM encoding
>openssl req -new -x509 -key openssl_key.pem -keyform pem 
-out openssl_crt.pem -outform pem -config openssl.cnf

You are about to be asked to enter information that will be 
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished 
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [HY State]:
Locality Name (eg, city) [HY City]:
Organization Name (eg, company) [HY Company]:
Organizational Unit Name (eg, section) [HY Unit]:
Common Name (eg, YOUR name) [Herong Yang]:
Email Address [herongyang.com]:

>rem key and certificate merged in PKCS#12 format
>openssl pkcs12 -export -inkey openssl_key.pem -in openssl_crt.pem
-out openssl_key_crt.p12 -name openssl_key_crt

Loading 'screen' into random state - done
Enter Export Password: p12pass
Verifying - Enter Export Password:

>rem key and certificate merged in PKCS#12 format
>openssl pkcs12 -in openssl_key_crt.p12 -out openssl_key_crt_enc.pem

Enter Import Password: p12pass
MAC verified OK
Enter PEM pass phrase: keypass
Verifying - Enter PEM pass phrase: keypass

Notes on the commands and options I used:

  • "openssl req -new -x509" command generates a self-signed certificate based on the given private and public key pair.
  • "openssl pkcs12 -export" command merges the private and public key pair with its self-signed certificate into a PKCS#12 file.
  • "-inkey openssl_key.pem" option specifies the private and public key pair in PEM encoded file.
  • "-in openssl_crt.pem" option specifies the self-signed certificate in PEM encoded file.
  • "-out openssl_key_crt.p12" option specifies the output PKCS#12 file name.
  • "-name openssl_key_crt" option specifies a name for the key pair and the certificate in the PKCS#12 file.
  • "openssl pkcs12" command without "-export" option parses a PKCS#12 file as input.

The result is very nice. My private key and my self-signed certificate are stored in single files now:

  • openssl_key_crt.p12 - PKCS#12 file, encrypted, binary form.
  • openssl_key_crt_enc.pem - PEM encoded and encrypted private key and PEM encoded certificate in one file.

Want to see the file structure of openssl_key_crt_enc.pem? Here it is: 

>type openssl_key_crt_enc.pem

Bag Attributes
    localKeyID: B5 BA 41 DE E6 FE 22 70 D7 C8 C8 55 76 E6 AF 92 6B...
subject=/C=CA/ST=HY State/L=HY City/O=HY Company/OU=HY Unit/CN=Her...
issuer=/C=CA/ST=HY State/L=HY City/O=HY Company/OU=HY Unit/CN=Hero...
-----BEGIN CERTIFICATE-----
MIIDgzCCAuygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBjjELMAkGA1UEBhMCQ0Ex
...
joy2xMaAryTrfoyUyqL10TusG3MeoXnHl4u4F5mLbQgr13CYHjdp
-----END CERTIFICATE-----
Bag Attributes
    localKeyID: B5 BA 41 DE E6 FE 22 70 D7 C8 C8 55 76 E6 AF 92 6B...
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5845E016B16C7803

xo6pJ9madEbOB9SAQgIGC3GeZ7xDqHZJm6RkquOju23dSxzzetR2u/PPtnQ82hK0
...
7DSeQRZg3a1TTwQXwYXCqHdc2qLzISH/C4ERqm7EqJ2PCsEe7GSfmA==
-----END RSA PRIVATE KEY-----

openssl_key_crt_enc.pem looks like a concatenated file of the key PEM file and certificate PEM file.

Now I have the final PKCS#12 file with my private key and certificate. I can verify it with Java SE "keytool" command as described in the next section.

"keytool" Verifying PKCS#12 Files

Since Java SE "keytool" command support PKCS#12 files, I want to try it with my PKCS#12 file, openssl_key_crt.p12, created by "OpenSSL" with the following tests:

  • Use "keytool -list" command to display what's in the PKCS#12 file.
  • "keytool -exportcert" command only exports the self-signed certificate from a PrivateKeyEntry in a keystore.

My command session was recorded as blow: 

>keytool -list -keystore openssl_key_crt.p12 -storetype pkcs12 
-storepass p12pass

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

openssl_key_crt, Jul 29, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 1D:D4:AC:96:53:25:9F:1A:D0:A7:46:6C...

>keytool -exportcert -keystore openssl_key_crt.p12 -storetype pkcs12 
-storepass p12pass -alias openssl_key_crt 
-file keytool_openssl_crt.pem -rfc

Certificate stored in file <keytool_openssl_crt.pem>

(Continued on next part...)

Part:   1  2  3  4 

Dr. Herong Yang, updated in 2007
Cryptography Tutorials - Herong's Tutorial Notes - Key Formats PKCS#8 and PKCS#12 and Migration