This how-to will walk you through extracting information from a PKCS#12 file with OpenSSL. PKCS#12 (also known as PKCS12 or PFX) is a binary format for storing a certificate chain and private key in a single, encryptable file. PKCS#12 files are commonly used to import and export certificates and private keys on Windows and macOS computers, and usually have the filename extensions .p12
or .pfx
.
For more helpful how-tos and the latest cybersecurity news, sign up for SSL.com’s newsletter here:
What is OpenSSL?
OpenSSL is a very useful open-source command-line toolkit for working with X.509 certificates, certificate signing requests (CSRs), and cryptographic keys. If you are using a UNIX variant like Linux or macOS, OpenSSL is probably already installed on your computer. If you would like to use OpenSSL on Windows, you can enable Windows 10’s Linux subsystem or install Cygwin. You can also easily create a PKCS#12 file with openSSL.
SSL.com provides a wide variety of SSL/TLS server certificates for HTTPS websites.
Video
In all of the examples shown below, substitute the names of the files you are actually working with for INFILE.p12
, OUTFILE.crt
, and OUTFILE.key
.
View PKCS#12 Information on Screen
To dump all of the information in a PKCS#12 file to the screen in PEM format, use this command:
openssl pkcs12 -info -in INFILE.p12 -nodes
You will then be prompted for the PKCS#12 file’s password:
Enter Import Password:
Type the password entered when creating the PKCS#12 file and press enter
. OpenSSL will output any certificates and private keys in the file to the screen:
Bag Attributes localKeyID: AC 3E 77 9A 99 62 84 3D 77 CB 44 0D F9 78 57 7C 08 28 05 97 subject=/CN=Aaron Russell/emailAddress=*********@gmail.com issuer=/C=US/ST=Texas/L=Houston/O=SSL Corp/CN=SSL.com Client Certificate Intermediate CA RSA R1 -----BEGIN CERTIFICATE----- MIIF1DCCA7ygAwIBAgIQcOrAJCMayJsZBKJsyz/aQDANBgkqhkiG9w0BAQsFADB+ MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24x ETAPBgNVBAoMCFNTTCBDb3JwMTowOAYDVQQDDDFTU0wuY29tIENsaWVudCBDZXJ0 ... bwK6ABAZUq6QcvhD0LYsXya+ncDCR6wxb9E0DWd4ATQMzxGTu/yE3kT+9Ef6IY+n armh3HZUfan2Hb64YD0tjLMca/PC+sKAZu28gB/3HQRHIFugvh6RO3bIoorl0jUg 1Ml2r83++biS0HL6JdcwuuUF -----END PRIVATE KEY-----
Encrypt Private Key
If you would like to encrypt the private key and protect it with a password before output, simply omit the -nodes
flag from the command:
openssl pkcs12 -info -in INFILE.p12
In this case, you will be prompted to enter and verify a new password after OpenSSL outputs any certificates, and the private key will be encrypted (note that the text of the key begins with -----BEGIN ENCRYPTED PRIVATE KEY-----
):
Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIGwhJIMXRiLQCAggA MBQGCCqGSIb3DQMHBAiXdeymTYuedgSCBMjwGg78PsqiNJLfpDFbMxL98u3tK9Cs ... SGVCCBj5vBpSbBXAGbOv74h4satKmAMgGc8SgU06geS9gFgt/wLwehMJ/H4BSmex 4S/2tYzZrDBJkfH9JpggubYRTgwfAGY2BkX03dK2sqfu+QVTVTKMj2VI0sKcFfLZ bdw= -----END ENCRYPTED PRIVATE KEY-----
Extract Only Certificates or Private Key
If you only want to output the private key, add -nocerts
to the command:
openssl pkcs12 -info -in INFILE.p12 -nodes -nocerts
If you only need the certificates, use -nokeys
(and since we aren’t concerned with the private key we can also safely omit -nodes
):
openssl pkcs12 -info -in INFILE.p12 -nokeys
Save Certificates and Private Keys to Files
You can export the certificates and private key from a PKCS#12 file and save them in PEM format to a new file by specifying an output filename:
openssl pkcs12 -in INFILE.p12 -out OUTFILE.crt -nodes
Again, you will be prompted for the PKCS#12 file’s password. As before, you can encrypt the private key by removing the -nodes
flag from the command and/or add -nocerts
or -nokeys
to output only the private key or certificates. So, to generate a private key file, we can use this command:
openssl pkcs12 -in INFILE.p12 -out OUTFILE.key -nodes -nocerts
And to create a file including only the certificates, use this:
openssl pkcs12 -in INFILE.p12 -out OUTFILE.crt -nokeys
Convert Private Key to PKCS#1 Format
The examples above all output the private key in OpenSSL’s default PKCS#8 format. If you know you need PKCS#1 instead, you can pipe the output of the OpenSSL’s PKCS#12 utility to its RSA or EC utility depending on the key type. Both of the commands below will output a key file in PKCS#1 format:
RSA
openssl pkcs12 -in INFILE.p12 -nodes -nocerts | openssl rsa -out OUTFILE.key
ECDSA
openssl pkcs12 -in INFILE.p12 -nodes -nocerts | openssl ec -out OUTFILE.key
Note: You can tell the difference between PKCS#8 and PKCS#1 private key files by looking at the first line of text. PKCS#1 files will specify the algorithm:
-----BEGIN RSA PRIVATE KEY-----
PKCS#8 files do not show the algorithm, and may also be encrypted:
-----BEGIN PRIVATE KEY-----
or
-----BEGIN ENCRYPTED PRIVATE KEY-----