Difference between revisions of "PKCS 12"
(→Solution) |
(→Solution) |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
The full PKCS #12 standard is very complex. It enables buckets of complex objects such as PKCS #8 structures, nested deeply. But in practice it is normally used to store just one private key and its associated certificate chain. | The full PKCS #12 standard is very complex. It enables buckets of complex objects such as PKCS #8 structures, nested deeply. But in practice it is normally used to store just one private key and its associated certificate chain. | ||
==Problem== | ==Problem== | ||
| − | You need .pfx file to install https on website for Microsoft's or many other web servers. | + | You need a .pfx file to install https on website for Microsoft's or many other web servers. Which is Microsoft's method for storing a PKCS12 key structure. |
If you have two separate files: certificate (.cer or pem) and private key (.crt) they need to be converted to P12 or PFX format. | If you have two separate files: certificate (.cer or pem) and private key (.crt) they need to be converted to P12 or PFX format. | ||
| Line 21: | Line 21: | ||
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt -in intermediate.crt -in rootca.crt | openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt -in intermediate.crt -in rootca.crt | ||
| − | You can install openssl from here: [https://www.openssl.org/community/binaries.html openssl binaries.] | + | To look at an existing pfx (pkcs12) container |
| + | |||
| + | openssl pkcs12 -nokeys -in /ASP.NET/Https/TrustRegistry.pfx -clcerts -nodes |openssl x509 -noout -text | ||
| + | |||
| + | You can install openssl from here: [https://www.openssl.org/community/binaries.html openssl binaries.], or just run bash as openSSL is typically included in that shell. | ||
==References== | ==References== | ||
*This version 1.1 standard is now maintained by the IEFT as [https://tools.ietf.org/html/rfc7292 RFC 7292] | *This version 1.1 standard is now maintained by the IEFT as [https://tools.ietf.org/html/rfc7292 RFC 7292] | ||
*[http://unmitigatedrisk.com/?p=543 The PKCS#12 standard needs another update] commentary by Ryan Hurst. | *[http://unmitigatedrisk.com/?p=543 The PKCS#12 standard needs another update] commentary by Ryan Hurst. | ||
| + | * [https://www.sslshopper.com/article-most-common-openssl-commands.html The Most Common OpenSSL Commands] includes descriptions of the above sequences. | ||
| + | |||
| + | [[Category:Trust]] | ||
| + | [[Category:Security]] | ||
[[Category:Standard]] | [[Category:Standard]] | ||
Latest revision as of 22:16, 31 January 2021
Contents
Full Title
PKCS #12: Personal Information Exchange Syntax", PKCS Version 1.1, December 2012.
Context
The full PKCS #12 standard is very complex. It enables buckets of complex objects such as PKCS #8 structures, nested deeply. But in practice it is normally used to store just one private key and its associated certificate chain.
Problem
You need a .pfx file to install https on website for Microsoft's or many other web servers. Which is Microsoft's method for storing a PKCS12 key structure.
If you have two separate files: certificate (.cer or pem) and private key (.crt) they need to be converted to P12 or PFX format.
Solution
You will need to use openssl. A password to protect the private key is required by some web servers later in a file. It would be good practice to create a file with the password at this point before you build the PKCS 12 file. The OpenSSL command line app does not display any characters when you are entering your password. Just type it then press enter and you will see that it is working. This password MUST be well protected from disclosure.
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt
The key file is just a text file with your private key in it.
If you have a root CA and intermediate certs, then include them as well using multiple -in params
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt -in intermediate.crt -in rootca.crt
To look at an existing pfx (pkcs12) container
openssl pkcs12 -nokeys -in /ASP.NET/Https/TrustRegistry.pfx -clcerts -nodes |openssl x509 -noout -text
You can install openssl from here: openssl binaries., or just run bash as openSSL is typically included in that shell.
References
- This version 1.1 standard is now maintained by the IEFT as RFC 7292
- The PKCS#12 standard needs another update commentary by Ryan Hurst.
- The Most Common OpenSSL Commands includes descriptions of the above sequences.
