<html><head>
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:70.85pt 70.85pt 56.7pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word"><div>Hi Michael,</div><div><br></div><div><font face="monospace">openssl pkcs12 -in "inCert.p12" -out "out.pem" -passin pass:<pw> -nodes</font></div><div><br></div><div><span></span></div><div>is sufficient to convert all credentials in the PKCS#12 file to a single PEM file with the key being stored unencrypted.</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Cantarell; font-size: 14.666667px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none;">Since OpenSSL 3.0, the outdated<font face="monospace"><span class="Apple-converted-space"> </span>-nodes</font><span class="Apple-converted-space"> </span>option has been deprecated; so there better use<span class="Apple-converted-space"> </span><font face="monospace">-noenc</font>.</div><br class="Apple-interchange-newline"><div>To get the leaf cert only, your</div><div><br></div><div><font face="Courier New, Courier, monospace">openssl pkcs12 -in "inCert.p12" -clcerts -nokeys -out "outCert.pem" -passin pass:<pw></font></div><div><br></div><div>is adequate, while to get the related key only, it is sufficient to use</div><div><br></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Cantarell; font-size: 14.666667px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none;"><font face="Courier New, Courier, monospace">openssl pkcs12 -in "inCert.p12" -nocerts -noenc -out "outKey.pem" -passin pass:<pw></font></div><div><br></div><div><br></div><div>To decrypt any type of key, you can use e.g., </div><div><br></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-size: 14.666667px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none;"><font face="Courier New, Courier, monospace">openssl pkey -in "outTmpKey.pem" -out "outKey.pem" -passin pass:<pw></font></div><br class="Apple-interchange-newline"><div>All the commands mentioned above work regardless of the key type (RSA, EC, etc.).</div><div>If you really need to handle (in this case: decrypt) specifically EC keys, you can use, e.g.,</div><div><br></div><div></div><div><font face="Courier New, Courier, monospace">openssl ec -in "outTmpKey.pem" -out "outKey.pem" -passin pass:<pw></font></div><div><br></div><div><br></div><div>On Wed, 2022-05-25 at 19:23 +0000, Lynch, Pat wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div class="WordSection1"><p class="MsoNormal">Try adding the following command line arguments: -outform pem<o:p></o:p></p></div></blockquote><div><br></div><div>This won't work because the <font face="Courier New, Courier, monospace">openssl pkcs12</font> command does not have an <font face="monospace">-outform </font>option.<br>And for those having it such as <font face="monospace">openssl x509</font>, it is not needed because PEM is the default.</div><div><br></div><div>Regards,</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>David</div><div><br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div class="WordSection1"><p class="MsoNormal"><o:p> </o:p></p><div><div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b>From:</b> openssl-users <openssl-users-bounces@openssl.org><b>On Behalf Of </b>Beilharz, Michael<br><b>Sent:</b> Wednesday, May 25, 2022 3:10 AM<br><b>To:</b> 'openssl-users@openssl.org' <openssl-users@openssl.org><br><b>Subject:</b> How to convert .P12 Certificate (ECC crypted) to .PEMs<o:p></o:p></p></div></div><p class="MsoNormal"><o:p> </o:p></p><p><span style="font-family: Verdana, sans-serif; font-size: 11pt;">Hi OpenSSL</span><span style="font-family: Verdana, sans-serif; font-size: 11pt;">Community</span><span style="font-family: Verdana, sans-serif; font-size: 11pt;">,</span></p><div><p class="MsoNormal"><span lang="DE" style="font-family:"Verdana",sans-serif"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif">actual I have to convert a .P12 certificate (RSA crypted/created) into .PEM certificates,<o:p></o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif">I use the following commands:<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">openssl pkcs12 -in "inCert.p12" -clcerts -nokeys -out "outCert.pem" -passin pass:<pw><o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">openssl pkcs12 -in "outCert.pem" -nocerts -out "outTmpKey.pem" -passin pass:<pw> -passout pass:<pw><o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">openssl rsa -in "ouTmpKey.pem" -out "outKey.pem" -passin pass:<pw><o:p></o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif">I can’t say, if these 3 commands are the best way, but they still work fine and I can use the outCert.pem and the outKey.pem.<o:p></o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif">Now I have to convert a .P12 certificate, which is crypte d/created with ECC.<o:p></o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif">The first command still works (I think so, ‘cause there are no errors):<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">openssl pkcs12 -in "inCert.p12" -clcerts -nokeys -out "outCert.pem" -passin pass:<pw><o:p></o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif">But not the rest of the commands. I tried to use the</span><span style="font-size:10.0pt;font-family:"Courier New"">ec</span><span style="font-family:"Verdana",sans-serif"> or</span><span style="font-size:10.0pt;font-family:"Courier New"">ecparam </span><span style="font-family:"Verdana",sans-serif">parameter, but I couldn’t figure out how to use them correct.<o:p></o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif">I am happy about any help or hint<o:p></o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif">Regards<o:p></o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif">Michael<o:p></o:p></span></p><p class="MsoNormal"><span style="font-family:"Verdana",sans-serif"><o:p> </o:p></span></p></div></div></blockquote></body></html>