PKI Certificate Tutorials - Herong's Tutorial Examples - v1.12, by Herong Yang
"openssl pkcs12 -export" - 3-Level Certificate Chain and Key Bundle
This section provides a tutorial example on how to create a PKCS12 bundle to store a certificate signing chain and key pair of the end certificate, using the 'openssl pkcs12 -export' command.
If you certificate is signed by an intermediate CA, you can store the 3-level certificate signing chain and the your private/public key pair into PKCS12 bundle.
1. Check the key file and related certificates generated from the "openssl ca" - CA (Certificate Authority) Tool chapter.
herong$ ls -l 1889 Nov 24 09:19 hy-cert-2.pem # my certificate 379 Nov 24 08:21 key.pem # my private/public key pair 2162 Nov 24 09:17 intermediate-cert.pem # intermediate CA 749 Nov 24 08:07 root-cert.pem # the root CA certificate
2. Concatenate all 3 certificates (in the signed-by order) into a PEM bundle
herong$ cat hy-cert-2.pem intermediate-cert.pem root-cert.pem \ > chain-cert.pem
3. Create a PKCS12 bundle file from the PEM bundle and the private/public key pair.
herong$ openssl pkcs12 -export -in chain-cert.pem \ -inkey key.pem -passin pass:TopSecret \ -out hy-cert-bundle-2.p12 -passout pass:TopSecret
4. Print out information from the PKCS12 bundle. It contains 3 certificate bags and 1 key bag.
herong$ openssl pkcs12 -info -in hy-cert-bundle-2.p12 \ -passin pass:TopSecret -noout MAC Iteration 2048 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Certificate bag Certificate bag PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
5. Convert the PKCS12 bundle into a PEM bundle.
herong$ openssl pkcs12 -in hy-cert-bundle-2.p12 -passin pass:TopSecret \ -out hy-cert-bundle-2.pem -passout pass:TopSecret
6. Look at the PEM bundle. The private/public key pair is encrypted. The same "localKeyID" value links my certificate to my key pair. DN (Distinguished Name) values link 3 certificates as a signing chain.
herong$ more hy-cert-bundle-2.pem Bag Attributes localKeyID: A7ECD0EC2C377017B62F5BF01A1A66F6B23357CB subject=/C=ZZ/CN=Herong Yang issuer=/C=ZZ/CN=ZZ Intermediate CA -----BEGIN CERTIFICATE----- MIIBbzCB+AICEAMwCQYHKoZIzj0EATAqMQswCQYDVQQGEwJaWjEbMBkGA1UEAxMS WlogSW50ZXJtZWRpYXRlIENBMB4XDTI0MTEyNDE0MTkxMFoXDTI1MTEyNDE0MTkx ... 9aazAL2XvpsSgXU39+evXgOBAclswQPqosaEspOyMeDEpSo= -----END CERTIFICATE----- Bag Attributes: <No Attributes> subject=/C=ZZ/CN=ZZ Intermediate CA issuer=/C=ZZ/CN=ZZ Root CA -----BEGIN CERTIFICATE----- MIIBnTCCASSgAwIBAgICEAIwCQYHKoZIzj0EATAiMQswCQYDVQQGEwJaWjETMBEG A1UEAxMKWlogUm9vdCBDQTAeFw0yNDExMjQxNDE3NTFaFw0yNTExMjQxNDE3NTFa ... tP5RO+BCCJH0nmtBntbgG9Zl00afgZ+YmqQUzIVsRTTK -----END CERTIFICATE----- Bag Attributes: <No Attributes> subject=/C=ZZ/CN=ZZ Root CA issuer=/C=ZZ/CN=ZZ Root CA -----BEGIN CERTIFICATE----- MIIB+zCCAYKgAwIBAgIJAIZgMcdaWuMDMAkGByqGSM49BAEwIjELMAkGA1UEBhMC WloxEzARBgNVBAMTClpaIFJvb3QgQ0EwHhcNMjQxMTI0MTMwNzA4WhcNMjQxMjI0 ... w0bo7xDCG8M6/C0mUSut8b9kJGjleevob+5a41oKug== -----END CERTIFICATE----- Bag Attributes localKeyID: A7ECD0EC2C377017B62F5BF01A1A66F6B23357CB Key Attributes: <No Attributes> -----BEGIN EC PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,C6C8A17D90574C7D BKNoxzBVJwxkYbeRjlvapr6CnZmD+2nBGRRg7RKEhSVxqMdN4zUPD7kFadIdnZ/6 RYJDk9fzhDlQVLZFcxnZXOq/+2c0V5e/6d8YhTHBJf2vR3iLcRR1bkUp745jF+gV ... j5B7OiDp+I2JNvJJ/cQ5mxWatRdIofYD -----END EC PRIVATE KEY-----
Note that another way to build a PKCS12 bundle of a 3-level certificate chain and the end key is to use the "openssl pkcs12 -export -chain" command. It will search and find all signing CA certificates from a given trusted CA certificate lists.
openssl pkcs12 -export -in hy-cert.pem \ -inkey hy-key.pem -passin pass:TopSecret \ -chain -CAfile root-ca-list.pem \ -out hy-cert-chain.p12 -passout pass:TopSecret Where: -inkey hy-key.pem # the end key file -chain # search for the signing CA certificate -CAfile root-ca-list.pem # CA certificate list to search from
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
►PKCS12 Certificate Bundle File
"openssl pkcs12 -export" - Certificate and Key Bundle
"openssl pkcs12 -export" - Certificate Chain and Key Bundle
►"openssl pkcs12 -export" - 3-Level Certificate Chain and Key Bundle
"openssl pkcs12 -export" - Limitations and Errors
"keytool -genkeypair" - Certificate and Key Bundle
"keytool -importcert" - Certificate-Only Bundle
"keytool -storetype pkcs12" - Limitations and Errors
ASN.1 Data Structure of PKCS13 File