pkcs12 keystore maintenence keytool openssl - ghdrako/doc_snipets GitHub Wiki
https://www.misterpki.com/pkcs12/
A pkcs12 keystore is commonly used for both S/MIME User Certificates and SSL/TLS Server Certificates. The keystore may contain both private keys and their corresponding certificates with or without a complete chain. The keystore’s purpose is to store the credential of an identity, being a person, client, or server. Common file extensions include .p12 or .pfx for clarity.
https://tools.ietf.org/html/rfc7292
The PKCS12 keystore is non-proprietary unlike the JKS
create a keystore with a self-signed certificate
keytool -genkey \
-alias somealias \
-keystore keystore.p12 \
-storetype PKCS12 \
-keyalg RSA \
-storepass somepass \
-validity 730 \
-keysize 4096
| Keytool option | Description |
|---|---|
| -genkey | Generate keystore |
| -alias | Alias of the generated private key entry |
| -keystore | Keystore file to be created |
| -storetype | Type of keystore. PKCS12 in this example |
| -keyalg | Key algorithm of key entry to be generated |
| -storepass | Password to set on both the key entry and keystore |
| -validity | Validity of the certificate associated with the key entry |
| -keysize | Size of the generated private key in bits |
create a PKCS12 keystore from an existing private key and certificate using
openssl pkcs12 \
-export \
-in certificate.pem \
-inkey key.pem \
-out keystore.p12
| OpenSSL Option | Description |
|---|---|
| pkcs12 | Create pkcs12 formatted keystore |
| -export | Export the keystore to a file |
| -in | The existing certificate file |
| -inkey | The existing key file |
| -out | The name of the newly created pkcs12 keystore |
convert a JKS keystore to PKCS12
keytool -importkeystore \
-srckeystore keystore.jks \
-destkeystore keystore.p12 \
-srcstoretype JKS \
-deststoretype PKCS12 \
-deststorepass password \
-srcalias alias \
-destalias alias
| Keytool Options | Description |
|---|---|
| -importkeystore | Import existing keystore into new keystore |
| -srckeystore | The keystore to be imported |
| -destkeystore | The keystore to accept the import |
| -srcstoretype | The type of keystore to be imported |
| -deststoretype | The type of keystore to accept the import |
| -deststorepass | The password of the new keystore |
| -srcalias | The alias to be imported |
| -destalias | The alias to import to |
convert a PKCS12 keystore to JKS
keytool -importkeystore \
-srckeystore example.p12 \
-srcstoretype PKCS12 \
-destkeystore example.jks \
-deststoretype JKS
change the password of a PKCS12 keystore
keytool -storepasswd -keystore keystore.p12
change the key password in that keystore for each alias:
keytool -keypasswd -alias alias -keystore keystore.p12
change an alias name in a keystore
When generating a keystore, the default alias is 1 if not explicitly set. This default value may vary based on the software used to generate the keystore.
keytool -changealias -keystore keystore.p12 -alias alias
list the contents of a keystore
keytool -list -v -keystore keystore.p12
extract a private key from a keystore using openssl
openssl pkcs12 -in keystore.p12 -nocerts -nodes
Note that secret keys are not supported with openssl in a pkcs12 keystore. If you attempt to extract a secret key entry you will receive the following exception: Warning unsupported bag type: secretBag.
extract certificates from a keystore using openssl
openssl pkcs12 -in example.p12 -nokeys
Where -in example.p12 is the keystore and -nokeys means only extract the certificates and not the keys.
openssl pkcs12 -export -in my-cert.crt -inkey my-priv-key.key -certfile my-ca-bundle -out my-pfx.pfx -name "alias"
openssl pkcs12 -export -in <signed_cert_filename> -inkey <private_key_filename> -name ‘tomcat’ -out keystore.p12
cat <signed_cert_filename> <intermediate.cert> [<intermediate2.cert>] > cert-chain.txt
openssl pkcs12 -export -in cert-chain.txt -inkey <private_key_filename> -name ‘tomcat’ -out keystore.p12