Re: Create p12 from a .pem with only a private key

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Create p12 from a .pem with only a private key

Dirk-Willem van Gulik


> On 20 Feb 2020, at 08:38, Estefania <[hidden email]> wrote:
>
> Hi guys.
>
> I would like to ask if it is possible to create a p12 just with a .pem with
> private key but not certificate.

Try

        openssl req -x509 -subj /CN=foo -keyout /dev/null -nodes | openssl pkcs12 -out sample.p12 -export -certs

to make one containing just one cert without a private key.

Dw.
Reply | Threaded
Open this post in threaded view
|

Re: Create p12 from a .pem with only a private key

Dirk-Willem van Gulik
> On 20 Feb 2020, at 08:43, Dirk-Willem van Gulik <[hidden email]> wrote:
>> On 20 Feb 2020, at 08:38, Estefania <[hidden email]> wrote:
>> I would like to ask if it is possible to create a p12 just with a .pem with
>> private key but not certificate.
>
> Try
>
> openssl req -x509 -subj /CN=foo -keyout /dev/null -nodes | openssl pkcs12 -out sample.p12 -export -ce rts
>
> to make one containing just one cert without a private key.

Sorry - that should be

        openssl req -x509 -subj /CN=foo -keyout /dev/null -nodes | openssl pkcs12 -out x.p12 -export -nokeys

and

        openssl pkcs12 -in x.p12

to test.

Dw.
Reply | Threaded
Open this post in threaded view
|

RE: Create p12 from a .pem with only a private key

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of
> Estefania
> Sent: Thursday, February 20, 2020 01:36
>
> I do not know if I explained well, i have a .pem with a private key inside
> like this.
>
> -----BEGIN PRIVATE KEY-----
> masdfasdfasdfasdfasdfasdfasdff
> asdfasdfasdfasdfasdfasdfasdfasf
> asdfasfasdfasdfasdfasdfasdfasdf
> -----END PRIVATE KEY-----
>
>
> and i need to convert it to .p12

This works fine for me:

$ openssl pkcs12 -export -inkey keyfile.pem -out keyfile.p12 -passin pass:keyfile-password -password pass:export-password -nocerts

You can verify the output with:

$ openssl pkcs12 -noout -info -in keyfile.p12

which (after entering the export password) should show the file contains the MAC and a PKCS#7 shrouded keybag.

--
Michael Wojcik
Distinguished Engineer, Micro Focus


Reply | Threaded
Open this post in threaded view
|

Re: Create p12 from a .pem with only a private key

Hubert Kario
In reply to this post by Dirk-Willem van Gulik
On Thursday, 20 February 2020 09:35:56 CET, Estefania wrote:

> I do not know if I explained well, i have a .pem with a private key inside
> like this.
>
> -----BEGIN PRIVATE KEY-----
> masdfasdfasdfasdfasdfasdfasdff
> asdfasdfasdfasdfasdfasdfasdfasf
> asdfasfasdfasdfasdfasdfasdfasdf
> -----END PRIVATE KEY-----
>
>
> and i need to convert it to .p12
>
> do i need a certificate aswell?

technically, no, the standard allows for storing just the key in the
PKCS#12
file

that being said, I can imagine many implementations tripping over such
files

if you have a private key in "localhost.key" you can convert it to a
PKCS#12
file using the following command:

openssl pkcs12 -export -out file.p12 -inkey localhost.key -nocerts -keypbe
aes-128-cbc -passout pass:password

> I have tried what you suggest:
> $ openssl req -x509 -subj /CN=foo -keyout /dev/null -nodes | openssl pkcs12
> -out x.p12 -export -nokeys
> Generating a 2048 bit RSA private key
> ................+++
> .+++
> writing new private key to 'nul'
> -----
> Subject does not start with '/'.
> problems making Certificate Request
> unable to load certificates
>
> Thanks!
>
>
>
>
>
> --
> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
>
>
>

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 115, 612 00  Brno, Czech Republic