Convert pfx format to p12

Question

I need to export a .pfx format certificate (from Windows MMC) to .p12 to use in another application. I cant find a way to do this.

Can anyone suggest a method?

Answer 1

It seems that legacy encryption algorithms have been dropped in openssl which are still used in gpsm. This means that you have to explicitly re-enable them while converting the keys with openssl:

openssl pkcs12 -in input.pfx -out output.pem
openssl pkcs12 -export -in output.pem -out output.p12 -legacy

Answer 2

In my case, I wanted to import a .pfx exported from Entrust and import it into gpgsm. gpgsm did not like that PFX:

$ gpgsm --import name.pfx
gpgsm: directory '/home/me/.gnupg' created
gpgsm: keybox '/home/me/.gnupg/pubring.kbx' created
gpgsm: data error at "pkcs5PBES2-params", offset 134
gpgsm: error at "bag-sequence", offset 49
gpgsm: error parsing or decrypting the PKCS#12 file
gpgsm: total number processed: 0

Paul Chan's answer above worked (using Firefox), but I wanted a command line solution.

Inspired by the other answers, I simply tried roundtripping it using openssl pcks12, and it worked:

# Convert pfx to pem
$ openssl pkcs12 -in name.pfx -out name.pem
# Convert pem to p12
openssl pkcs12 -export -in name.pem -out name.p12
$ gpgsm --import name.p12
gpgsm: 2456 bytes of RC2 encrypted text
# ...
gpgsm: total number processed: 3
gpgsm:               imported: 2
gpgsm:       secret keys read: 1
gpgsm:   secret keys imported: 1

Answer 3

first We Have certificate.PFX file

Step1: (Extract Private Key)

openssl pkcs12 -in certificate.pfx -nocerts -out private.key -passin pass:123123 -passout pass:123123

Step2: (Create P12 file)

openssl pkcs12 -export -out ewallet.p12 -inkey private.key -in certificate.cer -passin pass:123123 -passout pass:123123

Answer 4

If you are looking for a quick and manual process with UI. I always use Mozilla Firefox to convert from PFX to P12. First import the certificate into the Firefox browser (Options > Privacy & Security > View Certificates... > Import...). Once installed, perform the export to create the P12 file by choosing the certificate name from the Certificate Manager and then click Backup... and enter the file name and then enter the password.

Answer 5

This is more of a continuation of jglouie's response.

If you are using openssl to convert the PKCS#12 certificate to public/private PEM keys, there is no need to rename the file. Assuming the file is called cert.pfx, the following three commands will create a public pem key and an encrypted private pem key:

openssl pkcs12 -in cert.pfx     -out cert.pem     -nodes -nokeys
openssl pkcs12 -in cert.pfx     -out cert_key.pem -nodes -nocerts
openssl rsa    -in cert_key.pem -out cert_key.pem -des3

The first two commands may prompt for an import password. This will be a password that was provided with the PKCS#12 file.

The third command will let you specify the encryption passphrase for the certificate. This is what you will enter when using the certificate.

Answer 6

Run this command to change .cert file to .p12:

openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt 

Where server.key is the server key and server.cert is a CA issue cert or a self sign cert file.

Answer 7

I had trouble with a .pfx file with openconnect. Renaming didn't solve the problem. I used keytool to convert it to .p12 and it worked.

keytool -importkeystore -destkeystore new.p12 -deststoretype pkcs12 -srckeystore original.pfx

In my case the password for the new file (new.p12) had to be the same as the password for the .pfx file.

Answer 8

.p12 and .pfx are both PKCS #12 files. Am I missing something?

Have you tried renaming the exported .pfx file to have a .p12 extension?