How to use OpenSSL to manage PKCS #12 archive

Use OpenSSL to manage PKCS #12 archive.

Create sample certificate

Create a sample certificate.

$ openssl req -subj "/commonName=example.org/" -x509 -nodes -days 730 -newkey rsa:2048 -keyout example.org.key -out example.org.pem

example.org.pem certificate file.

-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIUY5YmshFi3LCcZ4659dQ90IUpMX0wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwHhcNMjAwMTE0MDAwMDExWhcNMjIw
MTEzMDAwMDExWjAWMRQwEgYDVQQDDAtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANWClj4Jn7D4MUHMjZUcY/dx3RroU+tPgEkUjxJU
P9srhkDWKIVFqzZDfFldHg3KWQWvbmHVhWGobQY6ylx5epFy62nAXMvkfkiPefne
6A6XxOomhJ71E4VeSNiY50vbRxzOOwKb+P+3gtK7KauRK42cP7xjGEQlpVTFOvjl
wGmbUhZxZqS1jpjc6GMkaCIl8+oJD9kCzBjTLBLs+rw4DlFndfxim22HEbRClE48
/6eJ0AY9eZzkpuAaPTjYvqIaw+s/QWAZTJ+0Ev5YKw5PgPnb7qDPb0hbIcnG2F6/
3Gn3GR6lVrhWjlB1fGxEFDoP8BoGIBafPf8xUlfDyRTZQxcCAwEAAaNTMFEwHQYD
VR0OBBYEFHJPh7s99IvIYjWZCsiOmEOpbEaYMB8GA1UdIwQYMBaAFHJPh7s99IvI
YjWZCsiOmEOpbEaYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AIHsx0NMJ7AgyZF/pSlG2dNhxm79K9qdDB+adXkdPpQzzIpGAPprU392SVjTYKtZ
S9Y4ELrL+G/XwANLWp6UzeMZXsQfUf23LifIrvhHgjtQt/OfRIdlWjWdVOaFHg8T
TZPYcHUHv836evf/2lfLbj2eZIBXoXjfOi+pDlxM/h1avrSgS25FG9Qz8PnK8xJ2
85r2xseSYxfhTEzb+N8f8RmTdClWwTT6TdeyDaQ0xwdp0W2xWKTCAkgwFyAxAcmk
5n37C8eNZWSrLQEk8i35/ziC2mpgQrNNuxGoG2U8h2RC/e5OZXgxkTqao6ul82Yt
CUVAgzzpIshyiy/VrSjVKoM=
-----END CERTIFICATE-----

example.org.key private key file.

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVgpY+CZ+w+DFB
zI2VHGP3cd0a6FPrT4BJFI8SVD/bK4ZA1iiFRas2Q3xZXR4NylkFr25h1YVhqG0G
OspceXqRcutpwFzL5H5Ij3n53ugOl8TqJoSe9ROFXkjYmOdL20cczjsCm/j/t4LS
uymrkSuNnD+8YxhEJaVUxTr45cBpm1IWcWaktY6Y3OhjJGgiJfPqCQ/ZAswY0ywS
7Pq8OA5RZ3X8YptthxG0QpROPP+nidAGPXmc5KbgGj042L6iGsPrP0FgGUyftBL+
WCsOT4D52+6gz29IWyHJxthev9xp9xkepVa4Vo5QdXxsRBQ6D/AaBiAWnz3/MVJX
w8kU2UMXAgMBAAECggEAGq6NFAej2zvI/A4SC3ZWz8988CXkht2SjI9zKbk5mawg
xO1+dtk0Aj4AxjIq1VJaOamow7UpTAD+Tu795vyPYqnX3Ylaj2hol6zGc4F1wo0Y
4KIbpLm/zMTxmY/SJ9qpUmI7YaIYReyq/qbBGF218aZ7GJHRsIJ73NIhAoXDu+6g
fWjRg19hSz/EM/68hPxM7vstPC0S/zdMicrnbcCtA23AJL5cyifa1W1VkMv3SW3t
fswSvxLT4qDRyBxc6Xq0ULNm1Q+FMyhqtPhnUX4qi9289cal0U+9rfEhFc2q0I2T
VujPz76Ncm4IGeh/lf67dHYvwy7qHaPmL3Wto1U0IQKBgQD9hMjS6k8pkz7WCLJl
0JNHw0QWczM5+q2BfQM7w8McmWX0mvKqkLiGLyIo1QS8GgR+uOoEJ8v5rNZLW1SU
Q4SWExj8IQL+ofUDn4U1zbKtyRXybURC0GWGjbX8F4YJrLBmAuCeJNB6If4RTT/T
q9ZFYPwRzjOO+QZMICKDZlIriQKBgQDXmY6auU8uPSkPbCuZzUPX3z+fVVwRg8mm
zPGlsZ+uQvQT9qU37RpoWKxMRjjS61F2qdyxr6+++LqmAVU/QSdokJQP2A0LVCeG
+zPY/6zj4Y7CI81T2r9P6eVBVhS7eg9ggrnyIqwdBykh+u0zKXDSkfp7hEoChvL0
G6Cc2+MxnwKBgAwii/5Uit+BldNm7SskdbhMp3ivoPcYga+eDUaSE0fOK+wucokp
jjuWC/uKXsSmNirerQzv3rqfxE4tG/pQ1Qrd9Sc0aVFI7VJ0E0tFAlWBN5S4GDle
gk2TgO+FLLxP0M3BO4E2X+hIskGfwfte0U3W25n6lcs1LlD8hMpnXm2JAoGBAJAu
zUOD8gQGOtNpj68HqvtO/Ylc2HmOHOlD3cblhthPRlOjetJv6l0mD/PiclX7sTse
Vc0upOWeCZTDB3OJ6wTuy1XdMrwEx3ppvD6+nay4R3Rl5QbTH2YeEYckPjEya94r
DpdzwI6ZH1TuLnssl5r6rPy1d5lBDnFZmIvOMZ4ZAoGAL9m3qzKmOlqGAD32w11V
0zzr0orZPRiCXZ1SqQ1MRwKUexZeDCee4ZVZhhPtlyk8btqgG4j85RffFHbcwuv3
eGgx6S/6GzXRu0sICLrAmHT+Q2WA/PKp0kD6Abz1DXLJUjr/nF6UUkqEOrCvGXoq
2MhMYc07op+riO+4pUwfzRY=
-----END PRIVATE KEY-----

Perform PKCS #12 operations

Create PKCS #12 archive using samplepassword as a password.

$ openssl pkcs12 -export -name example.org -in example.org.pem -inkey example.org.key -out example.org.p12 -password pass:samplepassword

Print information about PKCS #12 file as a simple verification step. Provide a password using the command-line.

$ openssl pkcs12 -in example.org.p12  -info -password pass:samplepassword -noout
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

Print information about PKCS #12 file as a simple verification step. Provide a password using a file.

$ echo "samplepassword" > passwordfile
$ openssl pkcs12 -in example.org.p12  -info -password file:passwordfile  -noout
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

Print information about PKCS #12 file as a simple verification step. Provide a password using standard input.

$ openssl pkcs12 -in example.org.p12 -info -noout
Enter Import Password: **************
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 204

Display the subject for each stored certificate.

$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -nokeys -clcerts | openssl x509 -noout -subject
subject=CN = example.org

Display the friendly name for each stored certificate.

$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -nokeys -clcerts | grep friendlyName
friendlyName: example.org

Extract and display certificates, private keys from PKCS #12 archive.

$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -nodes
Bag Attributes
    localKeyID: 4D 4E 49 0B 09 48 B8 6A F7 9E 6F C7 DC 94 FE 1B EF 07 58 F1
    friendlyName: example.org
subject=CN = example.org
issuer=CN = example.org
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIUY5YmshFi3LCcZ4659dQ90IUpMX0wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwHhcNMjAwMTE0MDAwMDExWhcNMjIw
MTEzMDAwMDExWjAWMRQwEgYDVQQDDAtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANWClj4Jn7D4MUHMjZUcY/dx3RroU+tPgEkUjxJU
P9srhkDWKIVFqzZDfFldHg3KWQWvbmHVhWGobQY6ylx5epFy62nAXMvkfkiPefne
6A6XxOomhJ71E4VeSNiY50vbRxzOOwKb+P+3gtK7KauRK42cP7xjGEQlpVTFOvjl
wGmbUhZxZqS1jpjc6GMkaCIl8+oJD9kCzBjTLBLs+rw4DlFndfxim22HEbRClE48
/6eJ0AY9eZzkpuAaPTjYvqIaw+s/QWAZTJ+0Ev5YKw5PgPnb7qDPb0hbIcnG2F6/
3Gn3GR6lVrhWjlB1fGxEFDoP8BoGIBafPf8xUlfDyRTZQxcCAwEAAaNTMFEwHQYD
VR0OBBYEFHJPh7s99IvIYjWZCsiOmEOpbEaYMB8GA1UdIwQYMBaAFHJPh7s99IvI
YjWZCsiOmEOpbEaYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AIHsx0NMJ7AgyZF/pSlG2dNhxm79K9qdDB+adXkdPpQzzIpGAPprU392SVjTYKtZ
S9Y4ELrL+G/XwANLWp6UzeMZXsQfUf23LifIrvhHgjtQt/OfRIdlWjWdVOaFHg8T
TZPYcHUHv836evf/2lfLbj2eZIBXoXjfOi+pDlxM/h1avrSgS25FG9Qz8PnK8xJ2
85r2xseSYxfhTEzb+N8f8RmTdClWwTT6TdeyDaQ0xwdp0W2xWKTCAkgwFyAxAcmk
5n37C8eNZWSrLQEk8i35/ziC2mpgQrNNuxGoG2U8h2RC/e5OZXgxkTqao6ul82Yt
CUVAgzzpIshyiy/VrSjVKoM=
-----END CERTIFICATE-----
Bag Attributes
    localKeyID: 4D 4E 49 0B 09 48 B8 6A F7 9E 6F C7 DC 94 FE 1B EF 07 58 F1
    friendlyName: example.org
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVgpY+CZ+w+DFB
zI2VHGP3cd0a6FPrT4BJFI8SVD/bK4ZA1iiFRas2Q3xZXR4NylkFr25h1YVhqG0G
OspceXqRcutpwFzL5H5Ij3n53ugOl8TqJoSe9ROFXkjYmOdL20cczjsCm/j/t4LS
uymrkSuNnD+8YxhEJaVUxTr45cBpm1IWcWaktY6Y3OhjJGgiJfPqCQ/ZAswY0ywS
7Pq8OA5RZ3X8YptthxG0QpROPP+nidAGPXmc5KbgGj042L6iGsPrP0FgGUyftBL+
WCsOT4D52+6gz29IWyHJxthev9xp9xkepVa4Vo5QdXxsRBQ6D/AaBiAWnz3/MVJX
w8kU2UMXAgMBAAECggEAGq6NFAej2zvI/A4SC3ZWz8988CXkht2SjI9zKbk5mawg
xO1+dtk0Aj4AxjIq1VJaOamow7UpTAD+Tu795vyPYqnX3Ylaj2hol6zGc4F1wo0Y
4KIbpLm/zMTxmY/SJ9qpUmI7YaIYReyq/qbBGF218aZ7GJHRsIJ73NIhAoXDu+6g
fWjRg19hSz/EM/68hPxM7vstPC0S/zdMicrnbcCtA23AJL5cyifa1W1VkMv3SW3t
fswSvxLT4qDRyBxc6Xq0ULNm1Q+FMyhqtPhnUX4qi9289cal0U+9rfEhFc2q0I2T
VujPz76Ncm4IGeh/lf67dHYvwy7qHaPmL3Wto1U0IQKBgQD9hMjS6k8pkz7WCLJl
0JNHw0QWczM5+q2BfQM7w8McmWX0mvKqkLiGLyIo1QS8GgR+uOoEJ8v5rNZLW1SU
Q4SWExj8IQL+ofUDn4U1zbKtyRXybURC0GWGjbX8F4YJrLBmAuCeJNB6If4RTT/T
q9ZFYPwRzjOO+QZMICKDZlIriQKBgQDXmY6auU8uPSkPbCuZzUPX3z+fVVwRg8mm
zPGlsZ+uQvQT9qU37RpoWKxMRjjS61F2qdyxr6+++LqmAVU/QSdokJQP2A0LVCeG
+zPY/6zj4Y7CI81T2r9P6eVBVhS7eg9ggrnyIqwdBykh+u0zKXDSkfp7hEoChvL0
G6Cc2+MxnwKBgAwii/5Uit+BldNm7SskdbhMp3ivoPcYga+eDUaSE0fOK+wucokp
jjuWC/uKXsSmNirerQzv3rqfxE4tG/pQ1Qrd9Sc0aVFI7VJ0E0tFAlWBN5S4GDle
gk2TgO+FLLxP0M3BO4E2X+hIskGfwfte0U3W25n6lcs1LlD8hMpnXm2JAoGBAJAu
zUOD8gQGOtNpj68HqvtO/Ylc2HmOHOlD3cblhthPRlOjetJv6l0mD/PiclX7sTse
Vc0upOWeCZTDB3OJ6wTuy1XdMrwEx3ppvD6+nay4R3Rl5QbTH2YeEYckPjEya94r
DpdzwI6ZH1TuLnssl5r6rPy1d5lBDnFZmIvOMZ4ZAoGAL9m3qzKmOlqGAD32w11V
0zzr0orZPRiCXZ1SqQ1MRwKUexZeDCee4ZVZhhPtlyk8btqgG4j85RffFHbcwuv3
eGgx6S/6GzXRu0sICLrAmHT+Q2WA/PKp0kD6Abz1DXLJUjr/nF6UUkqEOrCvGXoq
2MhMYc07op+riO+4pUwfzRY=
-----END PRIVATE KEY-----

Extract certificates and private keys from PKCS #12 archive.

$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -nodes -out example.org.certificate

Extract and display certificate from PKCS #12 archive.

$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -clcerts -nokeys
Bag Attributes
    localKeyID: 4D 4E 49 0B 09 48 B8 6A F7 9E 6F C7 DC 94 FE 1B EF 07 58 F1
    friendlyName: example.org
subject=CN = example.org
issuer=CN = example.org
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIUY5YmshFi3LCcZ4659dQ90IUpMX0wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwHhcNMjAwMTE0MDAwMDExWhcNMjIw
MTEzMDAwMDExWjAWMRQwEgYDVQQDDAtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANWClj4Jn7D4MUHMjZUcY/dx3RroU+tPgEkUjxJU
P9srhkDWKIVFqzZDfFldHg3KWQWvbmHVhWGobQY6ylx5epFy62nAXMvkfkiPefne
6A6XxOomhJ71E4VeSNiY50vbRxzOOwKb+P+3gtK7KauRK42cP7xjGEQlpVTFOvjl
wGmbUhZxZqS1jpjc6GMkaCIl8+oJD9kCzBjTLBLs+rw4DlFndfxim22HEbRClE48
/6eJ0AY9eZzkpuAaPTjYvqIaw+s/QWAZTJ+0Ev5YKw5PgPnb7qDPb0hbIcnG2F6/
3Gn3GR6lVrhWjlB1fGxEFDoP8BoGIBafPf8xUlfDyRTZQxcCAwEAAaNTMFEwHQYD
VR0OBBYEFHJPh7s99IvIYjWZCsiOmEOpbEaYMB8GA1UdIwQYMBaAFHJPh7s99IvI
YjWZCsiOmEOpbEaYMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AIHsx0NMJ7AgyZF/pSlG2dNhxm79K9qdDB+adXkdPpQzzIpGAPprU392SVjTYKtZ
S9Y4ELrL+G/XwANLWp6UzeMZXsQfUf23LifIrvhHgjtQt/OfRIdlWjWdVOaFHg8T
TZPYcHUHv836evf/2lfLbj2eZIBXoXjfOi+pDlxM/h1avrSgS25FG9Qz8PnK8xJ2
85r2xseSYxfhTEzb+N8f8RmTdClWwTT6TdeyDaQ0xwdp0W2xWKTCAkgwFyAxAcmk
5n37C8eNZWSrLQEk8i35/ziC2mpgQrNNuxGoG2U8h2RC/e5OZXgxkTqao6ul82Yt
CUVAgzzpIshyiy/VrSjVKoM=
-----END CERTIFICATE-----

Extract certificate from PKCS #12 archive and store it to a file.

$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -clcerts -nokeys -out extracted_example.org.pem

Extract and display private key from PKCS #12 archive.

$ openssl pkcs12 -in example.org.p12 -password file:a -nocerts -nodes
Bag Attributes
    localKeyID: 4D 4E 49 0B 09 48 B8 6A F7 9E 6F C7 DC 94 FE 1B EF 07 58 F1
    friendlyName: example.org
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVgpY+CZ+w+DFB
zI2VHGP3cd0a6FPrT4BJFI8SVD/bK4ZA1iiFRas2Q3xZXR4NylkFr25h1YVhqG0G
OspceXqRcutpwFzL5H5Ij3n53ugOl8TqJoSe9ROFXkjYmOdL20cczjsCm/j/t4LS
uymrkSuNnD+8YxhEJaVUxTr45cBpm1IWcWaktY6Y3OhjJGgiJfPqCQ/ZAswY0ywS
7Pq8OA5RZ3X8YptthxG0QpROPP+nidAGPXmc5KbgGj042L6iGsPrP0FgGUyftBL+
WCsOT4D52+6gz29IWyHJxthev9xp9xkepVa4Vo5QdXxsRBQ6D/AaBiAWnz3/MVJX
w8kU2UMXAgMBAAECggEAGq6NFAej2zvI/A4SC3ZWz8988CXkht2SjI9zKbk5mawg
xO1+dtk0Aj4AxjIq1VJaOamow7UpTAD+Tu795vyPYqnX3Ylaj2hol6zGc4F1wo0Y
4KIbpLm/zMTxmY/SJ9qpUmI7YaIYReyq/qbBGF218aZ7GJHRsIJ73NIhAoXDu+6g
fWjRg19hSz/EM/68hPxM7vstPC0S/zdMicrnbcCtA23AJL5cyifa1W1VkMv3SW3t
fswSvxLT4qDRyBxc6Xq0ULNm1Q+FMyhqtPhnUX4qi9289cal0U+9rfEhFc2q0I2T
VujPz76Ncm4IGeh/lf67dHYvwy7qHaPmL3Wto1U0IQKBgQD9hMjS6k8pkz7WCLJl
0JNHw0QWczM5+q2BfQM7w8McmWX0mvKqkLiGLyIo1QS8GgR+uOoEJ8v5rNZLW1SU
Q4SWExj8IQL+ofUDn4U1zbKtyRXybURC0GWGjbX8F4YJrLBmAuCeJNB6If4RTT/T
q9ZFYPwRzjOO+QZMICKDZlIriQKBgQDXmY6auU8uPSkPbCuZzUPX3z+fVVwRg8mm
zPGlsZ+uQvQT9qU37RpoWKxMRjjS61F2qdyxr6+++LqmAVU/QSdokJQP2A0LVCeG
+zPY/6zj4Y7CI81T2r9P6eVBVhS7eg9ggrnyIqwdBykh+u0zKXDSkfp7hEoChvL0
G6Cc2+MxnwKBgAwii/5Uit+BldNm7SskdbhMp3ivoPcYga+eDUaSE0fOK+wucokp
jjuWC/uKXsSmNirerQzv3rqfxE4tG/pQ1Qrd9Sc0aVFI7VJ0E0tFAlWBN5S4GDle
gk2TgO+FLLxP0M3BO4E2X+hIskGfwfte0U3W25n6lcs1LlD8hMpnXm2JAoGBAJAu
zUOD8gQGOtNpj68HqvtO/Ylc2HmOHOlD3cblhthPRlOjetJv6l0mD/PiclX7sTse
Vc0upOWeCZTDB3OJ6wTuy1XdMrwEx3ppvD6+nay4R3Rl5QbTH2YeEYckPjEya94r
DpdzwI6ZH1TuLnssl5r6rPy1d5lBDnFZmIvOMZ4ZAoGAL9m3qzKmOlqGAD32w11V
0zzr0orZPRiCXZ1SqQ1MRwKUexZeDCee4ZVZhhPtlyk8btqgG4j85RffFHbcwuv3
eGgx6S/6GzXRu0sICLrAmHT+Q2WA/PKp0kD6Abz1DXLJUjr/nF6UUkqEOrCvGXoq
2MhMYc07op+riO+4pUwfzRY=
-----END PRIVATE KEY-----

Extract private key from PKCS #12 archive and store it to a file.

$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -nocerts -nodes -out extracted_example.org.key

Extract private key from PKCS #12 archive and store it to a password-protected file.

$ openssl pkcs12 -in example.org.p12 -password pass:samplepassword -nocerts -passout pass:privatekeypass -out extracted_example.org.key

Additional information

Password protect the private key.

$ openssl rsa -des3 -in example.org.key -out example.org.enc.key -passout pass:privatekeypass

Decrypt key before adding it to a PKCS #12 archive.

$ openssl pkcs12 -export -name example.org -in example.org.pem -inkey example.org.enc.key -passin pass:privatekeypass -out example.org.p122 -password pass:samplepassword

Common errors

Wrong password for PKCS #12 archive.

MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
Mac verify error: invalid password?

Wrong password for the private key.

140590081270208:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:537:
140590081270208:error:0906A065:PEM routines:PEM_do_header:bad decrypt:../crypto/pem/pem_lib.c:461: