Create P12 or PFK file from CER, PEM, P7B, PKCS8

Question

I would like to create a .p12 or .pfk file. I have the files as below :

xx.cer
xx.p7b
xx.pem
xx.pkcs8

I've tried a lot of openssl commands but I could only create a .p12 file of zero bytes.

Example of openssl command that I executed :

openssl pkcs12 -export -inkey xx.pem -out xx.p12

pepo · Answer 1 · 2014-08-19T19:55:53.170

0

I don't know what is in xx.pem file and what is in xx.pkcs8. Private key should be in one (or both?) of these files. I will assume that the private key is in xx.pem file. Then the command to make a p12 file should be:

openssl pkcs12 -export -inkey ./xx.pkcs8 -in ./xx.pem -out ./xx.p12

Openssl will promt you to add a password to p12 file but when typing there will be no asterisks on the screen. Don't worry just type the password. This p12 file will contain private key and corresponding certificate. It will not include chain certificates which could be in xx.p7b file.

edited Aug 19 '14 at 19:55

answered Aug 15 '14 at 09:38

pepo

8,644
2
27
42

I have tested your command and I got this error : unable to load private key 54085:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY – tulyy Aug 15 '14 at 14:16
When you open xx.pem in text editor do you see any header like BEGIN RSA PRIVATE KEY followed by base64 encoded private key? Also check xx.pkcs8. – pepo Aug 15 '14 at 20:30
In the file xx.pem, there is the following text : -----BEGIN CERTIFICATE----- MIIByDCCATGgAwIBAgIIUk ... -----END CERTIFICATE----- – tulyy Aug 18 '14 at 08:07
OK, it could be CA certificate - take a look. What about xx.pkcs8? – pepo Aug 18 '14 at 17:01
In the xx.pkcs8, there is data hexadecimal like this : 3082 017c 301e 060a 2a86 4886 f70d 010c – tulyy Aug 19 '14 at 10:59
OK, lets try to get hexadecimal to PEM. Use [ASN.1 Editor](http://www.codeproject.com/Articles/4910/ASN-Editor) and its Data Converter tool to do that. Save the output to a file xx.b64 and add header (-----BEGIN RSA PRIVATE KEY-----) and footer (-----END RSA PRIVATE KEY-----). Then try the command from my answer but replace xx.pem with xx.b64 in the command. Hopefully the header and footer are correct and xx.pkcs8 really contains private key :) – pepo Aug 19 '14 at 11:57
OK. I might made a mistake with the headers. If the private key was not encrypted with password hten the header should be (-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----). If the private key was encrypted with password then it should have headers (-----BEGIN ENCRYPTED PRIVATE KEY----- and -----END ENCRYPTED PRIVATE KEY-----). Please try both. – pepo Aug 19 '14 at 13:41
I changed the header and the footer by "..ENCRYPTED PRIVATE KEY" and I executed the command. I entered the password and I get this error : No certificate matches private key – tulyy Aug 19 '14 at 14:36
OK. It's getting better :) Try to replace xx.cer with xx.pem. xx.cer contains CA certificate probably. – pepo Aug 19 '14 at 15:40
I not sure if I understand, I run this command "openssl pkcs12 -export -inkey ./xx.pem -in ./xx.pem -out ./xx.p12" I entered the password, and I still this error "No certificate matches private key" – tulyy Aug 19 '14 at 18:53
I have updated my answer. Try that command. Hopefully it will work. – pepo Aug 19 '14 at 19:56
My pkcs8 file is encrypted but when I open it with the data converter tool, it does not ask password, then the convert may be incorrect. When I execute the new command I have this error "unable to load private key 59331:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY" – tulyy Aug 20 '14 at 07:08
When you converted from hex to PEM dataconverter adds some dummy headers. Replace those headers with the ones that I wrote. – pepo Aug 21 '14 at 05:20

score 0 · Answer 2 · answered Aug 19 '14 at 13:08

I converted the pkcs8 file to pem and b64 and I updated the header and the footer. When I launch the commands as below, I got this error :

Commands :

openssl pkcs12 -export -inkey ./xx.pem -in ./xx.cer -out ./xx.p12
openssl pkcs12 -export -inkey ./xx.b64 -in ./xx.cer -out ./xx.p12

Results :

unable to load private key
58163:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/asn1/tasn_dec.c:1315:
58163:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/asn1/tasn_dec.c:827:
58163:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/asn1/tasn_dec.c:747:Field=version, Type=RSA
58163:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/asn1/d2i_pr.c:99:
58163:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/pem/pem_pkey.c:125:

Create P12 or PFK file from CER, PEM, P7B, PKCS8

2 Answers2