"openssl pkcs12 -export" - Certificate Chain and Key Bundle

PKI Certificate Tutorials - Herong's Tutorial Examples

∟"openssl pkcs12 -export" - Certificate Chain and Key Bundle

This section provides a tutorial example on how to create a PKCS12 bundle to store an end certificate, its private/public key pair, and the signing certificate, using the 'openssl pkcs12 -export' command.

The "openssl pkcs12 -export" command also allows you to add the CA certificate the PKCS12 file to become a bundle of certificate chain and private/public key pair.

1. Check the key file and related certificates generated from the "openssl ca" - CA (Certificate Authority) Tool chapter.

herong$ ls -l 

  1869 Nov 24 08:34 hy-cert.pem     # my certificate
   379 Nov 24 08:21 key.pem         # my private/public key pair
   749 Nov 24 08:07 root-cert.pem   # the root CA certificate

2. Create a PKCS12 bundle file from the certificates and the private/public key pair.

herong$ openssl pkcs12 -export -in hy-cert.pem \
  -inkey key.pem -passin pass:TopSecret \
  -certfile root-cert.pem \
  -out hy-cert-bundle.p12 -passout pass:TopSecret

3. Print out information from the PKCS12 bundle. It contains 2 certificate bags and 1 key bag.

herong$ openssl pkcs12 -info -in hy-cert-bundle.p12 \
  -passin pass:TopSecret -noout

MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

4. Convert the PKCS12 bundle into a PEM bundle.

herong$ openssl pkcs12 -in hy-cert-bundle.p12 -passin pass:TopSecret \
  -out hy-cert-bundle.pem -passout pass:TopSecret

5. Look at the PEM bundle. The private/public key pair is encrypted. The same "localKeyID" value links my certificate to my key pair. The same DN (Distinguished Name) value, "/C=ZZ/CN=ZZ Root CA", links my certificate to the root CA certificate.

herong$ more hy-cert-bundle.pem

Bag Attributes
    localKeyID: 7011FD05832DF2A017027713A92B86D40EF67AC9 
subject=/C=ZZ/CN=Herong Yang
issuer=/C=ZZ/CN=ZZ Root CA
-----BEGIN CERTIFICATE-----
MIIBZzCB8AICEAEwCQYHKoZIzj0EATAiMQswCQYDVQQGEwJaWjETMBEGA1UEAxMK
WlogUm9vdCBDQTAeFw0yNDExMjQxMzM0MDRaFw0yNTExMjQxMzM0MDRaMCMxCzAJ
...
4u/8yM7JASPNS4eplzuVS0l0sqpts9h1JerQ
-----END CERTIFICATE-----

Bag Attributes: <No Attributes>
subject=/C=ZZ/CN=ZZ Root CA
issuer=/C=ZZ/CN=ZZ Root CA
-----BEGIN CERTIFICATE-----
MIIB+zCCAYKgAwIBAgIJAIZgMcdaWuMDMAkGByqGSM49BAEwIjELMAkGA1UEBhMC
WloxEzARBgNVBAMTClpaIFJvb3QgQ0EwHhcNMjQxMTI0MTMwNzA4WhcNMjQxMjI0
...
w0bo7xDCG8M6/C0mUSut8b9kJGjleevob+5a41oKug==
-----END CERTIFICATE-----

Bag Attributes
    localKeyID: 7011FD05832DF2A017027713A92B86D40EF67AC9 
Key Attributes: <No Attributes>
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,448481F53F802209

OvkX2WL50VdGkdDyRLwyWPuiWGoa4AfL0rqKdTiLXDLpybtWnl9HIJjHCWWY1avJ
508nqsWLNZGfG+zFCsLJKqY7CzVnU6HVZ4Z0BRGOldG3eV8GGoTUzNOH+HaE1ozS
...
Fl9Or6EO1OqUlrcQOJGawSdoG2YKHJad
-----END EC PRIVATE KEY-----

Note that another way to build a PKCS12 bundle of a 3-level certificate chain and the end key is to use the "openssl pkcs12 -export -chain" command. It will search and find all signing root CA certificate from given root and intermediate CA certificate lists.

openssl pkcs12 -export -in hy-cert.pem \
  -inkey hy-key.pem -passin pass:TopSecret \
  -chain -CAfile root-ca-list.pem \
  -untrusted intermediate-ca-list.pem \ 
  -out hy-cert-chain.p12 -passout pass:TopSecret 

Where: 
  -inkey hy-key.pem   # the end key file 
  -chain              # search for the signing root CA certificate
  -CAfile root-ca-list.pem # root CA certificates to search from
  -untrusted intermediate-ca-list.pem # intermediate CA certificates