How to convert .P12 Certificate (ECC crypted) to .PEMs
David von Oheimb
it at von-Oheimb.de
Fri May 27 20:50:51 UTC 2022
Hi Michael,
openssl pkcs12 -in "inCert.p12" -out "out.pem" -passin pass:<pw> -nodes
is sufficient to convert all credentials in the PKCS#12 file to a single
PEM file with the key being stored unencrypted.
Since OpenSSL 3.0, the outdated -nodes option has been deprecated; so
there better use -noenc.
To get the leaf cert only, your
openssl pkcs12 -in "inCert.p12" -clcerts -nokeys -out "outCert.pem" -
passin pass:<pw>
is adequate, while to get the related key only, it is sufficient to use
openssl pkcs12 -in "inCert.p12" -nocerts -noenc -out "outKey.pem" -
passin pass:<pw>
To decrypt any type of key, you can use e.g.,
openssl pkey -in "outTmpKey.pem" -out "outKey.pem" -passin pass:<pw>
All the commands mentioned above work regardless of the key type (RSA,
EC, etc.).
If you really need to handle (in this case: decrypt) specifically EC
keys, you can use, e.g.,
openssl ec -in "outTmpKey.pem" -out "outKey.pem" -passin pass:<pw>
On Wed, 2022-05-25 at 19:23 +0000, Lynch, Pat wrote:
> Try adding the following command line arguments: -outform pem
This won't work because the openssl pkcs12 command does not have an -
outform option.
And for those having it such as openssl x509, it is not needed because
PEM is the default.
Regards,
David
>
> From: openssl-users <openssl-users-bounces at openssl.org>On Behalf Of
> Beilharz, Michael
> Sent: Wednesday, May 25, 2022 3:10 AM
> To: 'openssl-users at openssl.org' <openssl-users at openssl.org>
> Subject: How to convert .P12 Certificate (ECC crypted) to .PEMs
>
> Hi OpenSSLCommunity,
>
> actual I have to convert a .P12 certificate (RSA crypted/created) into
> .PEM certificates,
> I use the following commands:
> openssl pkcs12 -in "inCert.p12" -clcerts -nokeys -out "outCert.pem" -
> passin pass:<pw>
> openssl pkcs12 -in "outCert.pem" -nocerts -out "outTmpKey.pem" -passin
> pass:<pw> -passout pass:<pw>
> openssl rsa -in "ouTmpKey.pem" -out "outKey.pem" -passin pass:<pw>
>
> I can’t say, if these 3 commands are the best way, but they still work
> fine and I can use the outCert.pem and the outKey.pem.
>
> Now I have to convert a .P12 certificate, which is crypte d/created
> with ECC.
>
> The first command still works (I think so, ‘cause there are no
> errors):
> openssl pkcs12 -in "inCert.p12" -clcerts -nokeys -out "outCert.pem" -
> passin pass:<pw>
>
> But not the rest of the commands. I tried to use theec orecparam
> parameter, but I couldn’t figure out how to use them correct.
>
> I am happy about any help or hint
>
>
> Regards
> Michael
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220527/bbbfacd7/attachment.htm>
More information about the openssl-users
mailing list