Adam's Digital Garden

Openssl: The Start

What is PKCS#12 & PKCS#8?

PKCS#12 format preferred for exchanging certificates that have private keys.

PEM format certificates can be .pem, .crt,.cer, and .key They can be Server certs, intermediate certs, and private keys. Files starts and ends with BEGIN and END Statements

DER format is binary form of ASCII PEM format. Save as .cer to distinguish between a PEM format file, open it in Notepad. Used to tranport public keys, otherwise use PKCS12 as it is safer

PKCS#8 not a file type, but a syntax for private-key information.

PKCS#12, .p12 or .pfx Archive file format for storing many objects in a single binary data file. See PEM format certificates. You can put the private key together with a X.509 certificate and even the whole chain of trust. Password protects the private certificate that can be in the file, and therefore the best way to tranport private keys. The objects inside a PKCS#12 file are called SafeBags, which each can be signed and encrypted.

How to extract key and cert from a PKCS#12 file?

# Extract encrypted key
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [thekey.pem]
# Decrypt the key
openssl rsa -in [thekey.pem] -out [decryptedkey.pem]

#Extract the cert
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [thecertficate.pem]

Syntax fixes

Converting the key to PKCS#8 syntax from traditional format Key differences between Traditional syntax


whereas PKSC#8 syntax is


To convert syntax to PKSC#8 use

openssl pkcs8 -in <private key file> -topk8 -nocrypt -out <new private key file>