[openssl-users] pkcs12 oddity

Jan Just Keijser janjust at nikhef.nl
Sat Feb 13 23:55:38 UTC 2016

hi list,

we just ran into an "openssl pkcs12" oddity with various versions of 
openssl (e.g. 1.0.1e from Fedora):

$ cat usercert.pem userkey.pem | openssl pkcs12 -export -out blah.p12
Enter pass phrase:
unable to load certificates

i.e. fails, but this works:

$ cat  userkey.pem usercert.pem | openssl pkcs12 -export -out blah.p12
Enter pass phrase:
Enter Export Password:
Verifying - Enter Export Password:

this works: it seems the private key must always be listed first!
However, the man page for pkcs12 states:

        -in filename
            The filename to read certificates and private keys from, standard input by default.  They must all be in
            PEM format. The order doesn't matter but one private key and its corresponding certificate should be
            present. If additional certificates are present they will also be included in the PKCS#12 file.

so, what am I doing wrong here? (the command listed above is not the 
actual command we want to use, but it does bring out the problem very 

thanks for any help and pointers,

JJK / Jan Just Keijser

More information about the openssl-users mailing list