I have been doing some work with security certifcates lately and had the chance to document the creation of PKCS12/PFX archives using command line tools without first having CSR/private key in a key store.
Most are familar with the following work flow of obtaining a security certificate…
- Generate Certificate Signing Request (CSR)
- This generates a private key (sometimes out of interface scope)
- Submit CSR to Certificate Authority (CA) for certificate generation
- Internal Windows CA - certsrv
- Public CA like - GoDaddy
- Retrieve certificate bundle from CA
- Import into keystore used to create CSR
- The private key lives here (sometimes with no interface to manage, Windows for example)
- Export PFX archive that includes certificate, private key, and CA certificate(s) protected with password
- Include private key in the export
Voila! PFX Archive!
But… if you have the private key on a file system some where and not in a key store (Windows or Java), the work flow changes.
Note: Remeber to password protect any export of certificates with private keys with strong passwords
To bundle those together in a PKCS12/PFX archive file you can use OpenSSL command line tool, I am sure there are others. Available on all major flavors of Linux and installable other operating systems.