Use OpenSSL to manage PKCS #12 archive.
Create sample certificate
Create a sample certificate.
$ openssl req -subj "/commonName=example.org/" -x509 -nodes -days 730 -newkey rsa:2048 -keyout example.org.key -out example.org.pem
example.org.pem certificate file.
-----BEGIN CERTIFICATE----- MIIDDTCCAfWgAwIBAgIUY5YmshFi3LCcZ4659dQ90IUpMX0wDQYJKoZIhvcNAQEL BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwHhcNMjAwMTE0MDAwMDExWhcNMjIw MTEzMDAwMDExWjAWMRQwEgYDVQQDDAtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBANWClj4Jn7D4MUHMjZUcY/dx3RroU+tPgEkUjxJU P9srhkDWKIVFqzZDfFldHg3KWQWvbmHVhWGobQY6ylx5epFy62nAXMvkfkiPefne 6A6XxOomhJ71E4VeSNiY50vbRxzOOwKb+P+3gtK7KauRK42cP7xjGEQlpVTFOvjl wGmbUhZxZqS1jpjc6GMkaCIl8+oJD9kCzBjTLBLs+rw4DlFndfxim22HEbRClE48 /6eJ0AY9eZzkpuAaPTjYvqIaw+s/QWAZTJ+0Ev5YKw5PgPnb7qDPb0hbIcnG2F6/ 3Gn3GR6lVrhWjlB1fGxEFDoP8BoGIBafPf8xUlfDyRTZQxcCAwEAAaNTMFEwHQYD VR0OBBYEFHJPh7s99IvIYjWZCsiOmEOpbEaYMB8GA1UdIwQYMBaAFHJPh7s99IvI YjWZCsiOmEOpbEaYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AIHsx0NMJ7AgyZF/pSlG2dNhxm79K9qdDB+adXkdPpQzzIpGAPprU392SVjTYKtZ S9Y4ELrL+G/XwANLWp6UzeMZXsQfUf23LifIrvhHgjtQt/OfRIdlWjWdVOaFHg8T TZPYcHUHv836evf/2lfLbj2eZIBXoXjfOi+pDlxM/h1avrSgS25FG9Qz8PnK8xJ2 85r2xseSYxfhTEzb+N8f8RmTdClWwTT6TdeyDaQ0xwdp0W2xWKTCAkgwFyAxAcmk 5n37C8eNZWSrLQEk8i35/ziC2mpgQrNNuxGoG2U8h2RC/e5OZXgxkTqao6ul82Yt CUVAgzzpIshyiy/VrSjVKoM= -----END CERTIFICATE-----
example.org.key private key file.
-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVgpY+CZ+w+DFB zI2VHGP3cd0a6FPrT4BJFI8SVD/bK4ZA1iiFRas2Q3xZXR4NylkFr25h1YVhqG0G OspceXqRcutpwFzL5H5Ij3n53ugOl8TqJoSe9ROFXkjYmOdL20cczjsCm/j/t4LS uymrkSuNnD+8YxhEJaVUxTr45cBpm1IWcWaktY6Y3OhjJGgiJfPqCQ/ZAswY0ywS 7Pq8OA5RZ3X8YptthxG0QpROPP+nidAGPXmc5KbgGj042L6iGsPrP0FgGUyftBL+ WCsOT4D52+6gz29IWyHJxthev9xp9xkepVa4Vo5QdXxsRBQ6D/AaBiAWnz3/MVJX w8kU2UMXAgMBAAECggEAGq6NFAej2zvI/A4SC3ZWz8988CXkht2SjI9zKbk5mawg xO1+dtk0Aj4AxjIq1VJaOamow7UpTAD+Tu795vyPYqnX3Ylaj2hol6zGc4F1wo0Y 4KIbpLm/zMTxmY/SJ9qpUmI7YaIYReyq/qbBGF218aZ7GJHRsIJ73NIhAoXDu+6g fWjRg19hSz/EM/68hPxM7vstPC0S/zdMicrnbcCtA23AJL5cyifa1W1VkMv3SW3t fswSvxLT4qDRyBxc6Xq0ULNm1Q+FMyhqtPhnUX4qi9289cal0U+9rfEhFc2q0I2T VujPz76Ncm4IGeh/lf67dHYvwy7qHaPmL3Wto1U0IQKBgQD9hMjS6k8pkz7WCLJl 0JNHw0QWczM5+q2BfQM7w8McmWX0mvKqkLiGLyIo1QS8GgR+uOoEJ8v5rNZLW1SU Q4SWExj8IQL+ofUDn4U1zbKtyRXybURC0GWGjbX8F4YJrLBmAuCeJNB6If4RTT/T q9ZFYPwRzjOO+QZMICKDZlIriQKBgQDXmY6auU8uPSkPbCuZzUPX3z+fVVwRg8mm zPGlsZ+uQvQT9qU37RpoWKxMRjjS61F2qdyxr6+++LqmAVU/QSdokJQP2A0LVCeG +zPY/6zj4Y7CI81T2r9P6eVBVhS7eg9ggrnyIqwdBykh+u0zKXDSkfp7hEoChvL0 G6Cc2+MxnwKBgAwii/5Uit+BldNm7SskdbhMp3ivoPcYga+eDUaSE0fOK+wucokp jjuWC/uKXsSmNirerQzv3rqfxE4tG/pQ1Qrd9Sc0aVFI7VJ0E0tFAlWBN5S4GDle gk2TgO+FLLxP0M3BO4E2X+hIskGfwfte0U3W25n6lcs1LlD8hMpnXm2JAoGBAJAu zUOD8gQGOtNpj68HqvtO/Ylc2HmOHOlD3cblhthPRlOjetJv6l0mD/PiclX7sTse Vc0upOWeCZTDB3OJ6wTuy1XdMrwEx3ppvD6+nay4R3Rl5QbTH2YeEYckPjEya94r DpdzwI6ZH1TuLnssl5r6rPy1d5lBDnFZmIvOMZ4ZAoGAL9m3qzKmOlqGAD32w11V 0zzr0orZPRiCXZ1SqQ1MRwKUexZeDCee4ZVZhhPtlyk8btqgG4j85RffFHbcwuv3 eGgx6S/6GzXRu0sICLrAmHT+Q2WA/PKp0kD6Abz1DXLJUjr/nF6UUkqEOrCvGXoq 2MhMYc07op+riO+4pUwfzRY= -----END PRIVATE KEY-----
Perform PKCS #12 operations
Create PKCS #12 archive using samplepassword as a password.
$ openssl pkcs12 -export -name example.org -in example.org.pem -inkey example.org.key -out example.org.p12 -password pass:samplepassword
Print information about PKCS #12 file as a simple verification step. Provide a password using the command-line.
$ openssl pkcs12 -in example.org.p12 -info -password pass:samplepassword -noout MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Print information about PKCS #12 file as a simple verification step. Provide a password using a file.
$ echo "samplepassword" > passwordfile
$ openssl pkcs12 -in example.org.p12 -info -password file:passwordfile -noout MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Print information about PKCS #12 file as a simple verification step. Provide a password using standard input.
$ openssl pkcs12 -in example.org.p12 -info -noout Enter Import Password: ************** MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 204
Display the subject for each stored certificate.
$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -nokeys -clcerts | openssl x509 -noout -subject subject=CN = example.org
Display the friendly name for each stored certificate.
$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -nokeys -clcerts | grep friendlyName friendlyName: example.org
Extract and display certificates, private keys from PKCS #12 archive.
$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -nodes
Bag Attributes
localKeyID: 4D 4E 49 0B 09 48 B8 6A F7 9E 6F C7 DC 94 FE 1B EF 07 58 F1
friendlyName: example.org
subject=CN = example.org
issuer=CN = example.org
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIUY5YmshFi3LCcZ4659dQ90IUpMX0wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwHhcNMjAwMTE0MDAwMDExWhcNMjIw
MTEzMDAwMDExWjAWMRQwEgYDVQQDDAtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANWClj4Jn7D4MUHMjZUcY/dx3RroU+tPgEkUjxJU
P9srhkDWKIVFqzZDfFldHg3KWQWvbmHVhWGobQY6ylx5epFy62nAXMvkfkiPefne
6A6XxOomhJ71E4VeSNiY50vbRxzOOwKb+P+3gtK7KauRK42cP7xjGEQlpVTFOvjl
wGmbUhZxZqS1jpjc6GMkaCIl8+oJD9kCzBjTLBLs+rw4DlFndfxim22HEbRClE48
/6eJ0AY9eZzkpuAaPTjYvqIaw+s/QWAZTJ+0Ev5YKw5PgPnb7qDPb0hbIcnG2F6/
3Gn3GR6lVrhWjlB1fGxEFDoP8BoGIBafPf8xUlfDyRTZQxcCAwEAAaNTMFEwHQYD
VR0OBBYEFHJPh7s99IvIYjWZCsiOmEOpbEaYMB8GA1UdIwQYMBaAFHJPh7s99IvI
YjWZCsiOmEOpbEaYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AIHsx0NMJ7AgyZF/pSlG2dNhxm79K9qdDB+adXkdPpQzzIpGAPprU392SVjTYKtZ
S9Y4ELrL+G/XwANLWp6UzeMZXsQfUf23LifIrvhHgjtQt/OfRIdlWjWdVOaFHg8T
TZPYcHUHv836evf/2lfLbj2eZIBXoXjfOi+pDlxM/h1avrSgS25FG9Qz8PnK8xJ2
85r2xseSYxfhTEzb+N8f8RmTdClWwTT6TdeyDaQ0xwdp0W2xWKTCAkgwFyAxAcmk
5n37C8eNZWSrLQEk8i35/ziC2mpgQrNNuxGoG2U8h2RC/e5OZXgxkTqao6ul82Yt
CUVAgzzpIshyiy/VrSjVKoM=
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 4D 4E 49 0B 09 48 B8 6A F7 9E 6F C7 DC 94 FE 1B EF 07 58 F1
friendlyName: example.org
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVgpY+CZ+w+DFB
zI2VHGP3cd0a6FPrT4BJFI8SVD/bK4ZA1iiFRas2Q3xZXR4NylkFr25h1YVhqG0G
OspceXqRcutpwFzL5H5Ij3n53ugOl8TqJoSe9ROFXkjYmOdL20cczjsCm/j/t4LS
uymrkSuNnD+8YxhEJaVUxTr45cBpm1IWcWaktY6Y3OhjJGgiJfPqCQ/ZAswY0ywS
7Pq8OA5RZ3X8YptthxG0QpROPP+nidAGPXmc5KbgGj042L6iGsPrP0FgGUyftBL+
WCsOT4D52+6gz29IWyHJxthev9xp9xkepVa4Vo5QdXxsRBQ6D/AaBiAWnz3/MVJX
w8kU2UMXAgMBAAECggEAGq6NFAej2zvI/A4SC3ZWz8988CXkht2SjI9zKbk5mawg
xO1+dtk0Aj4AxjIq1VJaOamow7UpTAD+Tu795vyPYqnX3Ylaj2hol6zGc4F1wo0Y
4KIbpLm/zMTxmY/SJ9qpUmI7YaIYReyq/qbBGF218aZ7GJHRsIJ73NIhAoXDu+6g
fWjRg19hSz/EM/68hPxM7vstPC0S/zdMicrnbcCtA23AJL5cyifa1W1VkMv3SW3t
fswSvxLT4qDRyBxc6Xq0ULNm1Q+FMyhqtPhnUX4qi9289cal0U+9rfEhFc2q0I2T
VujPz76Ncm4IGeh/lf67dHYvwy7qHaPmL3Wto1U0IQKBgQD9hMjS6k8pkz7WCLJl
0JNHw0QWczM5+q2BfQM7w8McmWX0mvKqkLiGLyIo1QS8GgR+uOoEJ8v5rNZLW1SU
Q4SWExj8IQL+ofUDn4U1zbKtyRXybURC0GWGjbX8F4YJrLBmAuCeJNB6If4RTT/T
q9ZFYPwRzjOO+QZMICKDZlIriQKBgQDXmY6auU8uPSkPbCuZzUPX3z+fVVwRg8mm
zPGlsZ+uQvQT9qU37RpoWKxMRjjS61F2qdyxr6+++LqmAVU/QSdokJQP2A0LVCeG
+zPY/6zj4Y7CI81T2r9P6eVBVhS7eg9ggrnyIqwdBykh+u0zKXDSkfp7hEoChvL0
G6Cc2+MxnwKBgAwii/5Uit+BldNm7SskdbhMp3ivoPcYga+eDUaSE0fOK+wucokp
jjuWC/uKXsSmNirerQzv3rqfxE4tG/pQ1Qrd9Sc0aVFI7VJ0E0tFAlWBN5S4GDle
gk2TgO+FLLxP0M3BO4E2X+hIskGfwfte0U3W25n6lcs1LlD8hMpnXm2JAoGBAJAu
zUOD8gQGOtNpj68HqvtO/Ylc2HmOHOlD3cblhthPRlOjetJv6l0mD/PiclX7sTse
Vc0upOWeCZTDB3OJ6wTuy1XdMrwEx3ppvD6+nay4R3Rl5QbTH2YeEYckPjEya94r
DpdzwI6ZH1TuLnssl5r6rPy1d5lBDnFZmIvOMZ4ZAoGAL9m3qzKmOlqGAD32w11V
0zzr0orZPRiCXZ1SqQ1MRwKUexZeDCee4ZVZhhPtlyk8btqgG4j85RffFHbcwuv3
eGgx6S/6GzXRu0sICLrAmHT+Q2WA/PKp0kD6Abz1DXLJUjr/nF6UUkqEOrCvGXoq
2MhMYc07op+riO+4pUwfzRY=
-----END PRIVATE KEY-----
Extract certificates and private keys from PKCS #12 archive.
$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -nodes -out example.org.certificate
Extract and display certificate from PKCS #12 archive.
$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -clcerts -nokeys
Bag Attributes
localKeyID: 4D 4E 49 0B 09 48 B8 6A F7 9E 6F C7 DC 94 FE 1B EF 07 58 F1
friendlyName: example.org
subject=CN = example.org
issuer=CN = example.org
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIUY5YmshFi3LCcZ4659dQ90IUpMX0wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwHhcNMjAwMTE0MDAwMDExWhcNMjIw
MTEzMDAwMDExWjAWMRQwEgYDVQQDDAtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANWClj4Jn7D4MUHMjZUcY/dx3RroU+tPgEkUjxJU
P9srhkDWKIVFqzZDfFldHg3KWQWvbmHVhWGobQY6ylx5epFy62nAXMvkfkiPefne
6A6XxOomhJ71E4VeSNiY50vbRxzOOwKb+P+3gtK7KauRK42cP7xjGEQlpVTFOvjl
wGmbUhZxZqS1jpjc6GMkaCIl8+oJD9kCzBjTLBLs+rw4DlFndfxim22HEbRClE48
/6eJ0AY9eZzkpuAaPTjYvqIaw+s/QWAZTJ+0Ev5YKw5PgPnb7qDPb0hbIcnG2F6/
3Gn3GR6lVrhWjlB1fGxEFDoP8BoGIBafPf8xUlfDyRTZQxcCAwEAAaNTMFEwHQYD
VR0OBBYEFHJPh7s99IvIYjWZCsiOmEOpbEaYMB8GA1UdIwQYMBaAFHJPh7s99IvI
YjWZCsiOmEOpbEaYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AIHsx0NMJ7AgyZF/pSlG2dNhxm79K9qdDB+adXkdPpQzzIpGAPprU392SVjTYKtZ
S9Y4ELrL+G/XwANLWp6UzeMZXsQfUf23LifIrvhHgjtQt/OfRIdlWjWdVOaFHg8T
TZPYcHUHv836evf/2lfLbj2eZIBXoXjfOi+pDlxM/h1avrSgS25FG9Qz8PnK8xJ2
85r2xseSYxfhTEzb+N8f8RmTdClWwTT6TdeyDaQ0xwdp0W2xWKTCAkgwFyAxAcmk
5n37C8eNZWSrLQEk8i35/ziC2mpgQrNNuxGoG2U8h2RC/e5OZXgxkTqao6ul82Yt
CUVAgzzpIshyiy/VrSjVKoM=
-----END CERTIFICATE-----
Extract certificate from PKCS #12 archive and store it to a file.
$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -clcerts -nokeys -out extracted_example.org.pem
Extract and display private key from PKCS #12 archive.
$ openssl pkcs12 -in example.org.p12 -password file:a -nocerts -nodes
Bag Attributes
localKeyID: 4D 4E 49 0B 09 48 B8 6A F7 9E 6F C7 DC 94 FE 1B EF 07 58 F1
friendlyName: example.org
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVgpY+CZ+w+DFB
zI2VHGP3cd0a6FPrT4BJFI8SVD/bK4ZA1iiFRas2Q3xZXR4NylkFr25h1YVhqG0G
OspceXqRcutpwFzL5H5Ij3n53ugOl8TqJoSe9ROFXkjYmOdL20cczjsCm/j/t4LS
uymrkSuNnD+8YxhEJaVUxTr45cBpm1IWcWaktY6Y3OhjJGgiJfPqCQ/ZAswY0ywS
7Pq8OA5RZ3X8YptthxG0QpROPP+nidAGPXmc5KbgGj042L6iGsPrP0FgGUyftBL+
WCsOT4D52+6gz29IWyHJxthev9xp9xkepVa4Vo5QdXxsRBQ6D/AaBiAWnz3/MVJX
w8kU2UMXAgMBAAECggEAGq6NFAej2zvI/A4SC3ZWz8988CXkht2SjI9zKbk5mawg
xO1+dtk0Aj4AxjIq1VJaOamow7UpTAD+Tu795vyPYqnX3Ylaj2hol6zGc4F1wo0Y
4KIbpLm/zMTxmY/SJ9qpUmI7YaIYReyq/qbBGF218aZ7GJHRsIJ73NIhAoXDu+6g
fWjRg19hSz/EM/68hPxM7vstPC0S/zdMicrnbcCtA23AJL5cyifa1W1VkMv3SW3t
fswSvxLT4qDRyBxc6Xq0ULNm1Q+FMyhqtPhnUX4qi9289cal0U+9rfEhFc2q0I2T
VujPz76Ncm4IGeh/lf67dHYvwy7qHaPmL3Wto1U0IQKBgQD9hMjS6k8pkz7WCLJl
0JNHw0QWczM5+q2BfQM7w8McmWX0mvKqkLiGLyIo1QS8GgR+uOoEJ8v5rNZLW1SU
Q4SWExj8IQL+ofUDn4U1zbKtyRXybURC0GWGjbX8F4YJrLBmAuCeJNB6If4RTT/T
q9ZFYPwRzjOO+QZMICKDZlIriQKBgQDXmY6auU8uPSkPbCuZzUPX3z+fVVwRg8mm
zPGlsZ+uQvQT9qU37RpoWKxMRjjS61F2qdyxr6+++LqmAVU/QSdokJQP2A0LVCeG
+zPY/6zj4Y7CI81T2r9P6eVBVhS7eg9ggrnyIqwdBykh+u0zKXDSkfp7hEoChvL0
G6Cc2+MxnwKBgAwii/5Uit+BldNm7SskdbhMp3ivoPcYga+eDUaSE0fOK+wucokp
jjuWC/uKXsSmNirerQzv3rqfxE4tG/pQ1Qrd9Sc0aVFI7VJ0E0tFAlWBN5S4GDle
gk2TgO+FLLxP0M3BO4E2X+hIskGfwfte0U3W25n6lcs1LlD8hMpnXm2JAoGBAJAu
zUOD8gQGOtNpj68HqvtO/Ylc2HmOHOlD3cblhthPRlOjetJv6l0mD/PiclX7sTse
Vc0upOWeCZTDB3OJ6wTuy1XdMrwEx3ppvD6+nay4R3Rl5QbTH2YeEYckPjEya94r
DpdzwI6ZH1TuLnssl5r6rPy1d5lBDnFZmIvOMZ4ZAoGAL9m3qzKmOlqGAD32w11V
0zzr0orZPRiCXZ1SqQ1MRwKUexZeDCee4ZVZhhPtlyk8btqgG4j85RffFHbcwuv3
eGgx6S/6GzXRu0sICLrAmHT+Q2WA/PKp0kD6Abz1DXLJUjr/nF6UUkqEOrCvGXoq
2MhMYc07op+riO+4pUwfzRY=
-----END PRIVATE KEY-----
Extract private key from PKCS #12 archive and store it to a file.
$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -nocerts -nodes -out extracted_example.org.key
Extract private key from PKCS #12 archive and store it to a password-protected file.
$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -nocerts -passout pass:privatekeypass -out extracted_example.org.key
Additional information
Password protect the private key.
$ openssl rsa -des3 -in example.org.key -out example.org.enc.key -passout pass:privatekeypass
Decrypt key before adding it to a PKCS #12 archive.
$ openssl pkcs12 -export -name example.org -in example.org.pem -inkey example.org.enc.key -passin pass:privatekeypass -out example.org.p122 -password pass:samplepassword
Common errors
Wrong password for PKCS #12 archive.
MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 Mac verify error: invalid password?
Wrong password for the private key.
140590081270208:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:537: 140590081270208:error:0906A065:PEM routines:PEM_do_header:bad decrypt:../crypto/pem/pem_lib.c:461: