Cryptography - PKCS12 (PFX files)


PKCS12 is a pkcs version 12.

PKCS12 (ie p12 extension) is intended to store both:

It has the capability of being password protected to provide some protection to the keys.

PFX was the predecessor of PKCS#12.

PKCS#12 files are used by client application such as:



with Openssl pkcs12 1), you can add a chain


A PKCS#12 file can be created by using the -export option


  • a server certificate and the required intermediates in one PEM file
  • and private key
openssl pkcs12 -export -in www-example-com.crt -inkey www-example-com.key -out www-example-com.p12

To Pem

Privacy-Enhanced Mail (PEM) (OpenSsh key format)

The format becomes a base 64 hash of pkcs12.

openssl pkcs12 \
    -in /opt/truststore.pkcs12 \
    -nodes \  # Don't encrypt private keys
    -out /opt/truststore.pem \
    -passin 'pass:YourPassword'

Powered by ComboStrap