"openssl pkcs12 -export" - 3-Level Certificate Chain and Key Bundle

This section provides a tutorial example on how to create a PKCS12 bundle to store a certificate signing chain and key pair of the end certificate, using the 'openssl pkcs12 -export' command.

If you certificate is signed by an intermediate CA, you can store the 3-level certificate signing chain and the your private/public key pair into PKCS12 bundle.

1. Check the key file and related certificates generated from the "openssl ca" - CA (Certificate Authority) Tool chapter.

herong$ ls -l 

  1889 Nov 24 09:19 hy-cert-2.pem   # my certificate
   379 Nov 24 08:21 key.pem         # my private/public key pair
  2162 Nov 24 09:17 intermediate-cert.pem # intermediate CA
   749 Nov 24 08:07 root-cert.pem   # the root CA certificate

2. Concatenate all 3 certificates (in the signed-by order) into a PEM bundle

herong$ cat hy-cert-2.pem intermediate-cert.pem root-cert.pem \
  > chain-cert.pem

3. Create a PKCS12 bundle file from the PEM bundle and the private/public key pair.

herong$ openssl pkcs12 -export -in chain-cert.pem \
  -inkey key.pem -passin pass:TopSecret \
  -out hy-cert-bundle-2.p12 -passout pass:TopSecret 

4. Print out information from the PKCS12 bundle. It contains 3 certificate bags and 1 key bag.

herong$ openssl pkcs12 -info -in hy-cert-bundle-2.p12 \
  -passin pass:TopSecret -noout

MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

5. Convert the PKCS12 bundle into a PEM bundle.

herong$ openssl pkcs12 -in hy-cert-bundle-2.p12 -passin pass:TopSecret \
  -out hy-cert-bundle-2.pem -passout pass:TopSecret

6. Look at the PEM bundle. The private/public key pair is encrypted. The same "localKeyID" value links my certificate to my key pair. DN (Distinguished Name) values link 3 certificates as a signing chain.

herong$ more hy-cert-bundle-2.pem

Bag Attributes
    localKeyID: A7ECD0EC2C377017B62F5BF01A1A66F6B23357CB 
subject=/C=ZZ/CN=Herong Yang
issuer=/C=ZZ/CN=ZZ Intermediate CA
-----BEGIN CERTIFICATE-----
MIIBbzCB+AICEAMwCQYHKoZIzj0EATAqMQswCQYDVQQGEwJaWjEbMBkGA1UEAxMS
WlogSW50ZXJtZWRpYXRlIENBMB4XDTI0MTEyNDE0MTkxMFoXDTI1MTEyNDE0MTkx
...
9aazAL2XvpsSgXU39+evXgOBAclswQPqosaEspOyMeDEpSo=
-----END CERTIFICATE-----

Bag Attributes: <No Attributes>
subject=/C=ZZ/CN=ZZ Intermediate CA
issuer=/C=ZZ/CN=ZZ Root CA
-----BEGIN CERTIFICATE-----
MIIBnTCCASSgAwIBAgICEAIwCQYHKoZIzj0EATAiMQswCQYDVQQGEwJaWjETMBEG
A1UEAxMKWlogUm9vdCBDQTAeFw0yNDExMjQxNDE3NTFaFw0yNTExMjQxNDE3NTFa
...
tP5RO+BCCJH0nmtBntbgG9Zl00afgZ+YmqQUzIVsRTTK
-----END CERTIFICATE-----

Bag Attributes: <No Attributes>
subject=/C=ZZ/CN=ZZ Root CA
issuer=/C=ZZ/CN=ZZ Root CA
-----BEGIN CERTIFICATE-----
MIIB+zCCAYKgAwIBAgIJAIZgMcdaWuMDMAkGByqGSM49BAEwIjELMAkGA1UEBhMC
WloxEzARBgNVBAMTClpaIFJvb3QgQ0EwHhcNMjQxMTI0MTMwNzA4WhcNMjQxMjI0
...
w0bo7xDCG8M6/C0mUSut8b9kJGjleevob+5a41oKug==
-----END CERTIFICATE-----

Bag Attributes
    localKeyID: A7ECD0EC2C377017B62F5BF01A1A66F6B23357CB 
Key Attributes: <No Attributes>
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,C6C8A17D90574C7D

BKNoxzBVJwxkYbeRjlvapr6CnZmD+2nBGRRg7RKEhSVxqMdN4zUPD7kFadIdnZ/6
RYJDk9fzhDlQVLZFcxnZXOq/+2c0V5e/6d8YhTHBJf2vR3iLcRR1bkUp745jF+gV
...
j5B7OiDp+I2JNvJJ/cQ5mxWatRdIofYD
-----END EC PRIVATE KEY-----

Note that another way to build a PKCS12 bundle of a 3-level certificate chain and the end key is to use the "openssl pkcs12 -export -chain" command. It will search and find all signing CA certificates from a given trusted CA certificate lists.

openssl pkcs12 -export -in hy-cert.pem \
  -inkey hy-key.pem -passin pass:TopSecret \
  -chain -CAfile root-ca-list.pem \
  -out hy-cert-chain.p12 -passout pass:TopSecret 

Where: 
  -inkey hy-key.pem   # the end key file 
  -chain              # search for the signing CA certificate
  -CAfile root-ca-list.pem # CA certificate list to search from

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

PKCS12 Certificate Bundle File

 What Is PKCS12 File Format

 "openssl pkcs12 -export" - Certificate and Key Bundle

 "openssl pkcs12 -export" - Certificate Chain and Key Bundle

"openssl pkcs12 -export" - 3-Level Certificate Chain and Key Bundle

 "openssl pkcs12 -export" - Limitations and Errors

 "keytool -genkeypair" - Certificate and Key Bundle

 "keytool -importcert" - Certificate-Only Bundle

 "keytool -storetype pkcs12" - Limitations and Errors

 ASN.1 Data Structure of PKCS13 File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB