"openssl pkcs12" Merging Key with Certificate

Cryptography Tutorials - Herong's Tutorial Examples

∟Migrating Keys from "OpenSSL" Key Files to "keystore"

∟"openssl pkcs12" Merging Key with Certificate

This section provides a tutorial example on how to merge a private key and its self-signed certificate into a single PKCS#12 file, with can be then encoded as PEM and encrypted with DES.

PKCS#12 (Personal Information Exchange Syntax Standard) defines how a private key and its related certificates should be stored in single file. In this section, I want to try the following:

Use "openssl reg -new -x509" command to create a self-signed certificate with my private key.
Use "openssl pkcs12 -export" command to merge my private key and my certificate into a PKCS#12 file.
Use "openssl pkcs12" command to parse a PKCS#12 file into an encrypted PEM file.

My command session was recorded as blow:

C:\herong>rem self-signed certificate in X509 format, PEM encoding
herong> openssl req -new -x509 -key openssl_key.pem -keyform pem \
   -out openssl_crt.pem -outform pem -config openssl.cnf

You are about to be asked to enter information that will be 
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished 
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [HY State]:
Locality Name (eg, city) [HY City]:
Organization Name (eg, company) [HY Company]:
Organizational Unit Name (eg, section) [HY Unit]:
Common Name (eg, YOUR name) [Herong Yang]:
Email Address [herongyang.com]:

C:\herong>rem key and certificate merged in PKCS#12 format
herong> openssl pkcs12 -export -inkey openssl_key.pem \
   -in openssl_crt.pem -out openssl_key_crt.p12 -name openssl_key_crt

Loading 'screen' into random state - done
Enter Export Password: p12pass
Verifying - Enter Export Password:

C:\herong>rem encrypt the PKCS#12 file
herong> openssl pkcs12 -in openssl_key_crt.p12 \
   -out openssl_key_crt_enc.pem

Enter Import Password: p12pass
MAC verified OK
Enter PEM pass phrase: keypass
Verifying - Enter PEM pass phrase: keypass

Notes on the commands and options I used:

"openssl req -new -x509" command generates a self-signed certificate based on the given private and public key pair.
"openssl pkcs12 -export" command merges the private and public key pair with its self-signed certificate into a PKCS#12 file.
"-inkey openssl_key.pem" option specifies the private and public key pair in PEM encoded file.
"-in openssl_crt.pem" option specifies the self-signed certificate in PEM encoded file.
"-out openssl_key_crt.p12" option specifies the output PKCS#12 file name.
"-name openssl_key_crt" option specifies a name for the key pair and the certificate in the PKCS#12 file.
"openssl pkcs12" command without "-export" option parses a PKCS#12 file as input.

The result is very nice. My private key and my self-signed certificate are stored in single files now:

openssl_key_crt.p12 - PKCS#12 file, encrypted, binary form.
openssl_key_crt_enc.pem - PEM encoded and encrypted private key and PEM encoded certificate in one file.

Want to see the file structure of openssl_key_crt_enc.pem? Here it is:

herong> more openssl_key_crt_enc.pem

Bag Attributes
    localKeyID: B5 BA 41 DE E6 FE 22 70 D7 C8 C8 55 76 E6 AF 92 6B...
subject=/C=CA/ST=HY State/L=HY City/O=HY Company/OU=HY Unit/CN=Her...
issuer=/C=CA/ST=HY State/L=HY City/O=HY Company/OU=HY Unit/CN=Hero...
-----BEGIN CERTIFICATE-----
MIIDgzCCAuygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBjjELMAkGA1UEBhMCQ0Ex
...
joy2xMaAryTrfoyUyqL10TusG3MeoXnHl4u4F5mLbQgr13CYHjdp
-----END CERTIFICATE-----
Bag Attributes
    localKeyID: B5 BA 41 DE E6 FE 22 70 D7 C8 C8 55 76 E6 AF 92 6B...
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5845E016B16C7803

xo6pJ9madEbOB9SAQgIGC3GeZ7xDqHZJm6RkquOju23dSxzzetR2u/PPtnQ82hK0
...
7DSeQRZg3a1TTwQXwYXCqHdc2qLzISH/C4ERqm7EqJ2PCsEe7GSfmA==
-----END RSA PRIVATE KEY-----

openssl_key_crt_enc.pem looks like a concatenated file of the key PEM file and certificate PEM file.

Now I have the final PKCS#12 file with my private key and certificate. I can verify it with Java SE "keytool" command as described in the next section.