[openssl-users] Combining certificate and key in PEM format into a P12 file without knowing the key password?

Tobias Dussa (SCC) tobias.dussa at kit.edu
Tue Feb 20 12:15:40 UTC 2018


On Tue, Feb 20, 2018 at 12:23:14PM +0100, Jakob Bohm wrote:
> >Googling does not reveal much useful information, unfortunately, and so far we
> >have been unsuccessfully diving into PKCS12/8/5 specs.  I don't really see a
> >reason why it should not be possible, but of course that doesn't mean it is. :)
> In the commonly accepted variants of PKCS#12, private key and all the
> certificates are encrypted with the same password.  PKCS#12 with
> different password for private key and certificates is not widely
> supported.

I see.

> In the concatenated PEM format, only the private key is encrypted, but
> not the certificates.


> So to convert from concatenated PEM format to PKCS#12, even if the
> encrypted private key could be kept without decrypting the private
> key, the password for the private key is still needed to encrypt
> the certificates with the same password.

... iff you need to retain wide-spread compatibility.  So if that is not
necessary, the question remains: Is there a way to reuse an already-encrypted

THX & Cheers,
I know that you believe that you understood what you think I said,
but I am not sure you realize that what you heard is not what I meant.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6312 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180220/0cbd14de/attachment-0001.bin>

More information about the openssl-users mailing list