Convert .p10 file to a cert.pem and key.pem file

Question

I have a .p10 file and a password, however, I haven't been able to find what I need to do to convert this into a certificate and an RSA private key file, which needs to also include the bag attributes (localkeyid and friendlyname) and the key attributes as well as issuer and subject in the certificate.

I'm on OS X an I do have openSSL installed (if needed I can also use Ubuntu or Windows though), and was able to view the attributes and issuer/subject using openssl req -noout -text -in file.p10 but I'm not sure where to go from here.

I need these files for pybankid.

Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. — jww, Oct 15 '16 at 20:22
PKCS #10 is for Signing Requests. You can't convert it to a certificate because the Certificate Authority has to produce it for you. They have to provide a signature over the ***`ToBeSigned`*** and then return the minted certificate to you. Are you sure you don't have a PFX or PKCS #12 formatted file? — jww, Oct 15 '16 at 21:28
@jww I'm basically trying to use a library called pybankid (which asks for a cert.pem and a key.pem), but I was given only a .p10 file and a password for it (and I thought that a PKCS #10 wasn't what I needed, but the people insisted that's what they had and that the previous developer had no issue with it) — Amelius, Oct 15 '16 at 21:38
Creating a CSR (pkcs10 aka p10) required the privatekey, and a CA issues a cert 'from' (using) the CSR. You need to either get a real CA (like Letsencrypt) to issue you a cert from the CSR, or create your own CA and issue the cert yourself (which openssl can do) although probably noone else will trust it. And in either case openssl can combine the cert with the privatekey you must ALREADY HAVE into a pkcs**12** with 'bag' attributes. @jww is right this belongs on security or maybe Unix, but near-dupe http://stackoverflow.com/questions/29994878/ already covers much of it. — dave_thompson_085, Oct 15 '16 at 21:42
@jww: Q says `openssl req -in file.p10` works so it is indeed pkcs10. OP: but if pybankid wants 'cert.pem and key.pem' then those _cannot_ contain bag attributes. pkcs12 has bags, those don't. PS: look at the 'p10' file to see if maybe it contains _both_ a privatekey block AND a certreq block -- in PEM format that's possible, though not usually done because it's confusing. — dave_thompson_085, Oct 15 '16 at 21:43
@Amelius - *"Can you explain why this isn't a development question"* - Well, the high level sniff test I use is: is it a programming or development question. In this case, its easy to pass the test: show me the code. The best I can tell, you are seeking help with running commands. Getting help for the types of commands you are using are a better fit elsewhere. — jww, Oct 15 '16 at 22:17

score 4 · Answer 1 · answered Jan 12 '17 at 23:56

You need to complete a few more steps in order to get what you need.

Let me explain the complete process to create a certificate:

Generate a key (with or without a pass phrase).
Create a Certificate Signing Request (CSR) using your key.
Send your CSR to the Certificate Authority (CA) (in your case the partnering bank) and ask them to sign it.
Once you get the certificate from the CA, convert it to the desired format using you key.

The .p10 file you have is most likely a CSR. To verify, try:

openssl req -noout -text -in *.p10

and look for something like:

Certificate Request:
Data:
    Version: 0 (0x0)...

You have a pass phrase, but it's not clear to me if you have access to the key used to generate the CSR, make sure you do before you send your request to the CA (step 3). Otherwise you will not be able to use the singed certificate.

Once you have a signed certificate (something like cert.crt), you can see the details using this command:

openssl x509 -text -in cert.crt -noout

Now you are ready for the final step (4).

To generate a .pfx/.p12 file, use:

openssl pkcs12 -inkey *.key -in *.crt -export -out certificate.pfx

to then convert certificate.pfx to .pem (including bag attributes), use:

openssl pkcs12 -in *.pfx -out cert.pem -nodes

the command to convert from a binary p10 into a ascii crt doesn't work. It throws "unable to load X509 request 139716756115904:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: CERTIFICATE REQUEST" — K. Frank, May 06 '20 at 11:07

Convert .p10 file to a cert.pem and key.pem file

1 Answers1