PKI Certificate Tutorials - Herong's Tutorial Examples - v1.12, by Herong Yang
"openssl pkcs12 -export" - Certificate and Key Bundle
This section provides a tutorial example on how to create a PKCS12 bundle to store a self-signed certificate and its private/public key pair using the 'openssl pkcs12 -export' command.
If you want to store your certificate and private/public key pair as a PKCS12 bundle file, you can use the "openssl pkcs12 -export" command as shown in this tutorial.
1. Create a self-signed certificate from an internally generated private/public key pair.
herong$ openssl req -x509 \ -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \ -keyout key.pem -passout pass:TopSecret \ -out cert.pem Country Name (2 letter code) [AU]:ZZ State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:ZZ Root CA Email Address []:
2. Create a PKCS12 bundle file from the certificate and the private/public key pair.
herong$ openssl pkcs12 -export -in cert.pem \ -inkey key.pem -passin pass:TopSecret \ -out bundle.p12 -passout pass:TopSecret
2. Create a PKCS12 bundle file from the certificate and the private/public key pair.
herong$ openssl pkcs12 -export -in cert.pem \ -inkey key.pem -passin pass:TopSecret \ -out bundle.p12 -passout pass:TopSecret
3. Print out information from the PKCS12 bundle. It contains a certificate bag and a key bag.
herong$ openssl pkcs12 -info -in bundle.p12 \ -passin pass:TopSecret -noout MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
4. Convert the PKCS12 bundle into a PEM bundle.
herong$ openssl pkcs12 -in bundle.p12 -passin pass:TopSecret \ -out bundle.pem -passout pass:TopSecret
5. Look at the PEM bundle. The private/public key pair is encrypted. The same "localKeyID" value links the certificate to the key pair.
herong$ more bundle.pem Bag Attributes localKeyID: 8FA158C06A469A5F63985DEAC7BD27D52DFF2487 subject=C = ZZ, CN = ZZ Root CA issuer=C = ZZ, CN = ZZ Root CA -----BEGIN CERTIFICATE----- MIIB1zCCAVygAwIBAgIUNOv6xSWMWqqiu4HdqQ3iTN2gnUswCgYIKoZIzj0EAwIw IjELMAkGA1UEBhMCWloxEzARBgNVBAMMClpaIFJvb3QgQ0EwHhcNMjQxMTI0MDI0 ... 5PiTb38dWlu7L5O004JykGWPhJ7JKpQhgw4AskMkxhc3b6ZljmTVZOVQqg== -----END CERTIFICATE----- Bag Attributes localKeyID: 8FA158C06A469A5F63985DEAC7BD27D52DFF2487 Key Attributes: <No Attributes> -----BEGIN ENCRYPTED PRIVATE KEY----- MIIBEzBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI54XhjfLnwvUCAggA MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECENJMH+K4Sf3BIHAhLJe88XJLtPw ... BYXgYOSINcVYSlToq1jnkFnC93XpgblDszBUmQ9OHh5FhCS27MFI
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
►PKCS12 Certificate Bundle File
►"openssl pkcs12 -export" - Certificate and Key Bundle
"openssl pkcs12 -export" - Certificate Chain and Key Bundle
"openssl pkcs12 -export" - 3-Level Certificate Chain and Key Bundle
"openssl pkcs12 -export" - Limitations and Errors
"keytool -genkeypair" - Certificate and Key Bundle
"keytool -importcert" - Certificate-Only Bundle
"keytool -storetype pkcs12" - Limitations and Errors
ASN.1 Data Structure of PKCS13 File