"openssl pkcs12 -export" - Certificate and Key Bundle

This section provides a tutorial example on how to create a PKCS12 bundle to store a self-signed certificate and its private/public key pair using the 'openssl pkcs12 -export' command.

If you want to store your certificate and private/public key pair as a PKCS12 bundle file, you can use the "openssl pkcs12 -export" command as shown in this tutorial.

1. Create a self-signed certificate from an internally generated private/public key pair.

herong$ openssl req -x509 \
  -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \
  -keyout key.pem -passout pass:TopSecret \
  -out cert.pem 

Country Name (2 letter code) [AU]:ZZ
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ZZ Root CA 
Email Address []:

2. Create a PKCS12 bundle file from the certificate and the private/public key pair.

herong$ openssl pkcs12 -export -in cert.pem \
  -inkey key.pem -passin pass:TopSecret \
  -out bundle.p12 -passout pass:TopSecret 

2. Create a PKCS12 bundle file from the certificate and the private/public key pair.

herong$ openssl pkcs12 -export -in cert.pem \
  -inkey key.pem -passin pass:TopSecret \
  -out bundle.p12 -passout pass:TopSecret 

3. Print out information from the PKCS12 bundle. It contains a certificate bag and a key bag.

herong$ openssl pkcs12 -info -in bundle.p12 \
  -passin pass:TopSecret -noout

MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

4. Convert the PKCS12 bundle into a PEM bundle.

herong$ openssl pkcs12 -in bundle.p12 -passin pass:TopSecret \
  -out bundle.pem -passout pass:TopSecret

5. Look at the PEM bundle. The private/public key pair is encrypted. The same "localKeyID" value links the certificate to the key pair.

herong$ more bundle.pem

Bag Attributes
    localKeyID: 8FA158C06A469A5F63985DEAC7BD27D52DFF2487 
subject=C = ZZ, CN = ZZ Root CA
issuer=C = ZZ, CN = ZZ Root CA
-----BEGIN CERTIFICATE-----
MIIB1zCCAVygAwIBAgIUNOv6xSWMWqqiu4HdqQ3iTN2gnUswCgYIKoZIzj0EAwIw
IjELMAkGA1UEBhMCWloxEzARBgNVBAMMClpaIFJvb3QgQ0EwHhcNMjQxMTI0MDI0
...
5PiTb38dWlu7L5O004JykGWPhJ7JKpQhgw4AskMkxhc3b6ZljmTVZOVQqg==
-----END CERTIFICATE-----

Bag Attributes
    localKeyID: 8FA158C06A469A5F63985DEAC7BD27D52DFF2487 
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBEzBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI54XhjfLnwvUCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECENJMH+K4Sf3BIHAhLJe88XJLtPw
...
BYXgYOSINcVYSlToq1jnkFnC93XpgblDszBUmQ9OHh5FhCS27MFI

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

PKCS12 Certificate Bundle File

 What Is PKCS12 File Format

"openssl pkcs12 -export" - Certificate and Key Bundle

 "openssl pkcs12 -export" - Certificate Chain and Key Bundle

 "openssl pkcs12 -export" - 3-Level Certificate Chain and Key Bundle

 "openssl pkcs12 -export" - Limitations and Errors

 "keytool -genkeypair" - Certificate and Key Bundle

 "keytool -importcert" - Certificate-Only Bundle

 "keytool -storetype pkcs12" - Limitations and Errors

 ASN.1 Data Structure of PKCS13 File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB