I need to export a .pfx format certificate (from Windows MMC) to .p12 to use in another application. I cant find a way to do this.
Can anyone suggest a method?
Convert pfx format to p12
Asked Answered
.p12 and .pfx are both PKCS #12 files. Am I missing something?
Have you tried renaming the exported .pfx file to have a .p12 extension?
Makes you wonder why they're are two different file extensions if they're really the same thing under the hood. –
Sorority
The reason there are two file extensions is historical. PFX was a Microsoft extension, while P12 was the Netscape one. Both formats have been adapted now to be identical, meaning that developers are able to use the .NET System.Security.Cryptography.X509Certificates namespace to work with both of them. See here for more information. –
Jann
The filename extension for PKCS #12 files is ".p12" or ".pfx". Microsoft's "PFX" has received heavy criticism of being one of the most complex cryptographic protocols. PKCS #12 is the successor to Microsoft's "PFX". PKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories. –
Scrutiny
renaming is not always working because. for example if you use SoapUI and test it a 2-way authentication it fails. p12 & pfx have history back to Netscape & IE. they are ALMOST the same but not identical files. so some apps can understand both regardless of extension and others need a 100% compatible valid p12 such as SoapUI –
Tericaterina
This has not worked in our case at all. Even though they are supposed both be PCKS12 files, renaming isn't working and I haven't loaded a hex editor to see why that doesn't work. –
Talc
I had trouble with a .pfx file with openconnect. Renaming didn't solve the problem. I used keytool to convert it to .p12 and it worked.
keytool -importkeystore -destkeystore new.p12 -deststoretype pkcs12 -srckeystore original.pfx
In my case the password for the new file (new.p12) had to be the same as the password for the .pfx file.
Not worked, even if I have used same password for both. got error "keytool error: java.io.IOException: Invalid keystore format" –
Indign
It worked for me, thanks for command to the keytool –
Settles
This was an awesome help when updating my SSL cert in TeamCity. Thank you. –
Reddy
As I had to change the password, too, I've added the option
-destkeypass to this command and it worked like a charm. –
Biforked If you are looking for a quick and manual process with UI. I always use Mozilla Firefox to convert from PFX to P12. First import the certificate into the Firefox browser (Options > Privacy & Security > View Certificates... > Import...). Once installed, perform the export to create the P12 file by choosing the certificate name from the Certificate Manager and then click Backup... and enter the file name and then enter the password.
This is more of a continuation of jglouie's response.
If you are using openssl to convert the PKCS#12 certificate to public/private PEM keys, there is no need to rename the file. Assuming the file is called cert.pfx, the following three commands will create a public pem key and an encrypted private pem key:
openssl pkcs12 -in cert.pfx -out cert.pem -nodes -nokeys
openssl pkcs12 -in cert.pfx -out cert_key.pem -nodes -nocerts
openssl rsa -in cert_key.pem -out cert_key.pem -des3
The first two commands may prompt for an import password. This will be a password that was provided with the PKCS#12 file.
The third command will let you specify the encryption passphrase for the certificate. This is what you will enter when using the certificate.
The first command overwrites the second, so perhaps just do step 2 and 3. FYI for readers, Des3 is the default encryption for the private key. –
Ochrea
In my case, I wanted to import a .pfx exported from Entrust and import it into gpgsm. gpgsm did not like that PFX:
$ gpgsm --import name.pfx
gpgsm: directory '/home/me/.gnupg' created
gpgsm: keybox '/home/me/.gnupg/pubring.kbx' created
gpgsm: data error at "pkcs5PBES2-params", offset 134
gpgsm: error at "bag-sequence", offset 49
gpgsm: error parsing or decrypting the PKCS#12 file
gpgsm: total number processed: 0
Paul Chan's answer above worked (using Firefox), but I wanted a command line solution.
Inspired by the other answers, I simply tried roundtripping it using openssl pcks12, and it worked:
# Convert pfx to pem
$ openssl pkcs12 -in name.pfx -out name.pem
# Convert pem to p12
openssl pkcs12 -export -in name.pem -out name.p12
$ gpgsm --import name.p12
gpgsm: 2456 bytes of RC2 encrypted text
# ...
gpgsm: total number processed: 3
gpgsm: imported: 2
gpgsm: secret keys read: 1
gpgsm: secret keys imported: 1
FWIW, with gpgsm 2.2.27, even after roundtripping I got the very same error message. Possibly the default algorithms changed? –
Compel
interesting... if I recall correctly that was on Ubuntu 20.04 with GPG and OpenSSL installed from Ubuntu repos, so GPG 2.2.19 and OpenSSL 1.1.1f... –
Milson
Run this command to change .cert file to .p12:
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt
Where server.key is the server key and server.cert is a CA issue cert or a self sign cert file.
The question was how to convert from pfx to p12 not from .cert to .p12 –
Loadstone
first We Have certificate.PFX file
Step1: (Extract Private Key)
openssl pkcs12 -in certificate.pfx -nocerts -out private.key -passin pass:123123 -passout pass:123123
Step2: (Create P12 file)
openssl pkcs12 -export -out ewallet.p12 -inkey private.key -in certificate.cer -passin pass:123123 -passout pass:123123
what if I don't have
certificate.cer for the second command? –
Muncey @RomanMarusyk you can export it from the pfx file if you replace the
-nocerts in the step1 cmd with -nokeys –
Apply It seems that legacy encryption algorithms have been dropped in openssl which are still used in gpsm. This means that you have to explicitly re-enable them while converting the keys with openssl:
openssl pkcs12 -in input.pfx -out output.pem
openssl pkcs12 -export -in output.pem -out output.p12 -legacy
© 2022 - 2024 — McMap. All rights reserved.