How to create a p12 private key and certificate file

You will need for this:

1. openssl
2. a private key
3. a certificate based on the private key above
4. (optional) a ca-chain intermediate certificate

One step only !

Create p12 file

Create p12 from certificate and private key

$> openssl pkcs12 -export -out frank-623.p12 -inkey frank-623-private.key.txt -in /etc/pki/tls/certs/intermediate-ca/client-signed.cert

- or -

Create p12 from certificate, private key and CA-intermediate certificate

$> openssl pkcs12 -export -out frank-623.p12 -inkey frank-623-private.key.txt -in /etc/pki/tls/certs/intermediate-ca/client-signed.cert -certfile /etc/pki/tls/certs/intermediate-ca/intermediate.cert.pem

Extract from p12  file

This is done in two steps.

Extract the private key from p12

openssl pkcs12 -in super-bundle.p12 -nocerts -out private.key -nodes

Or without password prompting:

openssl pkcs12 -in super-bundle.p12 -nocerts -out private.key -nodes -passin pass: -passout pass:

Note: The -nodes is important otherwise you will get just text:

[dev@centosmini ~]$ cat private.key
Bag Attributes
 localKeyID: E1 36 58 6C 2E F0 4C D7 A7 EF D2 84 6E 2D F1 2A B9 FF B3 BE
Key Attributes: <No Attributes>

Extract the certificate(s) from p12

openssl pkcs12 -nokeys -out certificates.crt -in super-bundle.p12

Or without password prompting

openssl pkcs12 -nokeys -out certificates.crt -in super-bundle.p12 -passin pass:

Extract only the client certificate (no ca-chain) by using -clcerts option

Indeed when you want to extract certificates from p12, you only need the -nokeys option. But there exists an option called -clcerts which will strip any ca-chain certificate.

openssl pkcs12 -clcerts -nokeys -out client-certificate.crt -in super-bundle.p12 -passin pass: