Create PKCS12/PFX Archive from Certificate and Private Key

I have been doing some work with security certifcates lately and had the chance to document the creation of PKCS12/PFX archives using command line tools without first having CSR/private key in a key store.

Site security certificate

Most are familar with the following work flow of obtaining a security certificate…

  • Generate Certificate Signing Request (CSR)
    • This generates a private key (sometimes out of interface scope)
  • Submit CSR to Certificate Authority (CA) for certificate generation
    • Internal Windows CA - certsrv
    • Public CA like - GoDaddy
  • Retrieve certificate bundle from CA
  • Import into keystore used to create CSR
    • The private key lives here (sometimes with no interface to manage, Windows for example)
  • Export PFX archive that includes certificate, private key, and CA certificate(s) protected with password
    • Include private key in the export

Voila! PFX Archive!

But… if you have the private key on a file system some where and not in a key store (Windows or Java), the work flow changes.

Note: Remeber to password protect any export of certificates with private keys with strong passwords

To bundle those together in a PKCS12/PFX archive file you can use OpenSSL command line tool, I am sure there are others. Available on all major flavors of Linux and installable other operating systems.

In the following example I use 7de8d3f8 (CRC32 of string ‘cormier’) as the <filename>.<ext>.

File Purpose Notes
7de8d3f8.pfx Our PFX Archive The result of a successful export
7de8d3f8.key Private Key Private key generated/used when signing CSR
7de8d3f8.crt Certificate Certificate generated by CA
CACert.p7b CA Certificate(s) Signing CA certificate(s)
$ openssl pkcs12 -export -out **7de8d3f8.pfx** -inkey 7de8d3f8.key -in 7de8d3f8.crt -CAfile CACert.p7b
Enter Export Password:
Verifying - Enter Export Password:

Microsoft Windows

Microsoft Windows, the operating system everybody loves to hate. In Windows, there can be private keys not attached to a certificate.

Programmatically you can use CryptAquireContext() to access a key. CryptoAPI contains many functions which allows you to import and use keys independently of certificates.

However there is no existing interface or file format for handling private keys, and applications DO NOT use keys by name, they use certificates.

In practice certificates and keys pair together and keys are reached only through certificates. A certificate and private key pair travel together, and they can do this as PKCS12 file (aka “PFX archive”).

Happy securing!

Nov 22, 2020 - Filed in: X.509 PKCS12 PKI PEM
Words: 400