Skip to Content

Check P12 Pfx File With OpenSSL Pkcs12 Command

PKCS#12 files are commonly used to import and export certificates and private keys on Windows and macOS computers, and usually have the filename extensions .p12 or .pfx.

OpenSSL on Linux

If we are using Linux, we can install OpenSSL with the following YUM console command:

> yum install openssl
If our distribution is based on APT instead of YUM, we can use the following command instead:

> apt-get install openssl

Create a .pfx/.p12 file using OpenSSL pkcs12

  • openssl pkcs12 -inkey privateKey.key -in certificate.crt -certfile more.crt -export -out certificate.pfx

Breaking down the command:

  • openssl – the command for executing OpenSSL pkcs12
  • pkcs12 – the file utility for PKCS#12 files in OpenSSL
  • -export -out certificate.pfx – export and save the PFX file as certificate.pfx
  • -inkey privateKey.key – use the private key file privateKey.key as the private key to combine with the certificate.
  • -in certificate.crt – use certificate.crt as the certificate the private key will be combined with.
  • -certfile more.crt – This is optional, this is if we have any additional certificates we would like to include in the PFX file.

Note:

  • Our P12 file must contain the private key, the public certificate from the Certificate Authority, and all intermediate certificates used for signing.
  • Our P12 file can contain a maximum of 10 intermediate certificates.

View PKCS#12 Information

To dump all of the information in a PKCS#12 file in PEM format, use this command:

  • openssl pkcs12 -info -in certificate.p12 -nodes

Note:

  • nodes: generates a new private key without using a passphrase (-nodes)

Encrypt Private Key with Openssl pkcs12

If we would like to encrypt the private key and protect it with a password before output, simply omit the -nodes flag from the command:

  • openssl pkcs12 -info -in certificate.p12

Extract Only Certificates or Private Key with OpenSSL pkcs12

If we only want to output the private key, add -nocerts to the command:

  • openssl pkcs12 -info -in certificate.p12 -nodes -nocerts
  • openssl pkcs12 -in certificate.p12 -out privateKey.key -nodes -nocerts

And to create a file including only the certificates, use this:

  • openssl pkcs12 -in certificate.p12 -out certificate.crt -nokeys