Creating a .p12 file

Asked 15/1, 2014 at 15:18 Answered 3/5 at 6:0

108

Using openssl, I've created a private key as follows:

openssl genrsa -out myKey.pem

Then, to generate the csr demanded by the CA, I've executed the following:

openssl req -new -key myKey.pem -out cert.csr

The CA responded with a certificate which I stored in a file named myCert.cer

I'd now like to bundle the necessary components (private key, public key(?) and certificate) into a single .p12. To do so I've run the following:

openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in myCert.cer

but I'm getting the following error message:

No certificate matches private key

How can I accomplish this?

Arrack answered 15/1, 2014 at 15:18 Comment(2)

Btw if someone wants to sign the cert.csr hisself, then one could use openssl x509 -req -in cert.csr -signkey key.pem -out cert.crt and then openssl pkcs12 -export -in cert.crt -inkey key.pem -out cert.p12. No need to use the additional command from the answer. – Trickster 2/12, 2015 at 13:21

How is the .cer generated, mentioned in the question above? – Portwine 4/8, 2022 at 20:29

149

The openssl documentation says that file supplied as the -in argument must be in PEM format.

Turns out that, contrary to the CA's manual, the certificate returned by the CA which I stored in myCert.cer is not PEM format rather it is PKCS7.

In order to create my .p12, I had to first convert the certificate to PEM:

openssl pkcs7 -in myCert.cer -print_certs -out certs.pem

and then execute

openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in certs.pem

Arrack answered 15/1, 2014 at 17:51 Comment(8)

what is "myKey.pem"? which file is it? – Gabo 27/3, 2015 at 9:44

That's the one that has the private key; see the beginning of the question. – Arrack 27/3, 2015 at 10:25

Best explanation step by step of how to create a p12 file. Thanks for it! – Cerallua 5/5, 2015 at 10:52

What does certs.pem include? Both public and private key? – Helli 6/4, 2018 at 12:33

Just the certificate (public key) – Arrack 8/4, 2018 at 22:2

certs.pem should ideally be the fullchain pem instead of just the issued cert pem so you won't get issues with intermediate / root CA not being provided. – Figure 28/11, 2021 at 7:50

in my case i don't had a myKey.pem file, my private key file was created as .key file, so if it's your case too use openssl pkcs12 -export -out keyStore.p12 -inkey private_key.key -in certs.pem – Musser 29/8, 2022 at 21:22

If your p12 is rejected with incorrect password (apple tools), try legacy format with -legacy – Eldrida 1/1 at 15:59

I'm debugging an issue I'm having with SSL connecting to a database (MySQL RDS) using an ORM called, Prisma. The database connection string requires a PKCS12 (.p12) file (if interested, described here), which brought me here.

I know the question has been answered, but I found the following steps (in Github Issue#2676) to be helpful for creating a .p12 file and wanted to share. Good luck!

Generate 2048-bit RSA private key:

openssl genrsa -out key.pem 2048
Generate a Certificate Signing Request:

openssl req -new -sha256 -key key.pem -out csr.csr
Generate a self-signed x509 certificate suitable for use on web servers.

openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem
Create SSL identity file in PKCS12 as mentioned here

openssl pkcs12 -export -out client-identity.p12 -inkey key.pem -in certificate.pem

Landman answered 13/1, 2021 at 20:12 Comment(5)

Apparently, when it asks you to enter a password on the 4th command, you're supposed to literally type "password", and then confirm by typing it again. I must be missing something... – Dao 8/2, 2021 at 19:45

@KevinBeal from my understanding, the password it requests is the password used to secure the PKCS12 file. You get to create the password. If someone wanted to open and inspect the PKCS12 file, you would need the password to access the file, I believe. – Landman 9/2, 2021 at 16:37

In step 3, I was given the option to choose a password. If that's the password you're referring to, it didn't work at all. This link appears to show that the password is "password". But I know almost nothing about it. – Dao 10/2, 2021 at 15:35

You can be prompted for a password up to twice. If the input key file requires one you will be prompted for that, then you will be prompted for the password to set on the output .p12 file. You can avoid the prompt for the latter with -passout and the former with -passin, see openssl-passphrase](openssl.org/docs/manmaster/man1/openssl-passphrase-options.html) docs for details (tl;dr -passout pass:"your password here"). – Raki 16/2, 2022 at 20:14

openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem Warning: No -copy_extensions given; ignoring any extensions in the request – Amu 13/9, 2023 at 12:12

In a single line, let's generate it for 10 years validation, for example

openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 3650 -keyout my.key -out my.cer;openssl pkcs12 -export -out my.p12 -inkey my.key -in my.cer

It will create a self signed certificate my.cer for 3650 days validation with a 2048 length RSA key my.key outputting my.p12 utility file

Admissive answered 3/5 at 6:0 Comment(0)

Recommended topics

Hot tags