How to convert .P12 Certificate (ECC crypted) to .PEMs

David von Oheimb it at
Fri May 27 20:50:51 UTC 2022

Hi Michael,

openssl pkcs12 -in "inCert.p12" -out "out.pem" -passin pass:<pw> -nodes

is sufficient to convert all credentials in the PKCS#12 file to a single
PEM file with the key being stored unencrypted.
Since OpenSSL 3.0, the outdated -nodes option has been deprecated; so
there better use -noenc.

To get the leaf cert only, your

openssl pkcs12 -in "inCert.p12" -clcerts -nokeys -out "outCert.pem" -
passin pass:<pw>

is adequate, while to get the related key only, it is sufficient to use

openssl pkcs12 -in "inCert.p12" -nocerts -noenc -out "outKey.pem" -
passin pass:<pw>

To decrypt any type of key, you can use e.g., 

openssl pkey -in "outTmpKey.pem" -out "outKey.pem" -passin pass:<pw>

All the commands mentioned above work regardless of the key type (RSA,
EC, etc.).
If you really need to handle (in this case: decrypt) specifically EC
keys, you can use, e.g.,

openssl ec -in "outTmpKey.pem" -out "outKey.pem" -passin pass:<pw>

On Wed, 2022-05-25 at 19:23 +0000, Lynch, Pat wrote:
> Try adding the following command line arguments:   -outform pem

This won't work because the openssl pkcs12 command does not have an -
outform option.
And for those having it such as openssl x509, it is not needed because
PEM is the default.


> From: openssl-users <openssl-users-bounces at>On Behalf Of
> Beilharz, Michael
> Sent: Wednesday, May 25, 2022 3:10 AM
> To: 'openssl-users at' <openssl-users at>
> Subject: How to convert .P12 Certificate (ECC crypted) to .PEMs
> Hi OpenSSLCommunity,
> actual I have to convert a .P12 certificate (RSA crypted/created) into
> .PEM certificates,
> I use the following commands:
> openssl pkcs12 -in "inCert.p12" -clcerts -nokeys -out "outCert.pem" -
> passin pass:<pw>
> openssl pkcs12 -in "outCert.pem" -nocerts -out "outTmpKey.pem" -passin
> pass:<pw> -passout pass:<pw>
> openssl rsa -in "ouTmpKey.pem" -out "outKey.pem" -passin pass:<pw>
> I can’t say, if these 3 commands are the best way, but they still work
> fine and I can use the outCert.pem and the outKey.pem.
> Now I have to convert a .P12 certificate, which is crypte d/created
> with ECC.
> The first command still works (I think so, ‘cause there are no
> errors):
> openssl pkcs12 -in "inCert.p12" -clcerts -nokeys -out "outCert.pem" -
> passin pass:<pw>
> But not the rest of the commands. I tried to use theec orecparam
> parameter, but I couldn’t figure out how to use them correct.
> I am happy about any help or hint
> Regards
> Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list