[openssl-users] Combining certificate and key in PEM format into a P12 file without knowing the key password?

Jakob Bohm jb-openssl at wisemo.com
Tue Feb 20 11:23:14 UTC 2018

On 20/02/2018 11:04, Tobias Dussa (SCC) wrote:
> Hi,
> I was wondering whether it was possible somehow to take a certificate and an
> enciphered private key, both in .pem format, and combine them into a PKCS12
> structure without knowing the key passphrase?
> Googling does not reveal much useful information, unfortunately, and so far we
> have been unsuccessfully diving into PKCS12/8/5 specs.  I don't really see a
> reason why it should not be possible, but of course that doesn't mean it is. :)
> THX & Cheers,
> Toby.
In the commonly accepted variants of PKCS#12, private key and all the
certificates are encrypted with the same password.  PKCS#12 with
different password for private key and certificates is not widely

In the concatenated PEM format, only the private key is encrypted, but
not the certificates.

So to convert from concatenated PEM format to PKCS#12, even if the
encrypted private key could be kept without decrypting the private
key, the password for the private key is still needed to encrypt
the certificates with the same password.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list