98

Using openssl, I've created a private key as follows:

openssl genrsa -out myKey.pem

Then, to generate the csr demanded by the CA, I've executed the following:

openssl req -new -key myKey.pem -out cert.csr

The CA responded with a certificate which I stored in a file named myCert.cer

I'd now like to bundle the necessary components (private key, public key(?) and certificate) into a single .p12. To do so I've run the following:

openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in myCert.cer

but I'm getting the following error message:

No certificate matches private key

How can I accomplish this?

Tom
  • 16,842
  • 17
  • 45
  • 54
Isaac Kleinman
  • 3,994
  • 3
  • 31
  • 35
  • 18
    Btw if someone wants to sign the `cert.csr` hisself, then one could use `openssl x509 -req -in cert.csr -signkey key.pem -out cert.crt` and then `openssl pkcs12 -export -in cert.crt -inkey key.pem -out cert.p12`. No need to use the additional command from the answer. – Tom Dec 02 '15 at 13:21
  • How is the .cer generated, mentioned in the question above? – shmup Aug 04 '22 at 20:29

2 Answers2

142

The openssl documentation says that file supplied as the -in argument must be in PEM format.

Turns out that, contrary to the CA's manual, the certificate returned by the CA which I stored in myCert.cer is not PEM format rather it is PKCS7.

In order to create my .p12, I had to first convert the certificate to PEM:

openssl pkcs7 -in myCert.cer -print_certs -out certs.pem

and then execute

openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in certs.pem
Isaac Kleinman
  • 3,994
  • 3
  • 31
  • 35
39

I'm debugging an issue I'm having with SSL connecting to a database (MySQL RDS) using an ORM called, Prisma. The database connection string requires a PKCS12 (.p12) file (if interested, described here), which brought me here.

I know the question has been answered, but I found the following steps (in Github Issue#2676) to be helpful for creating a .p12 file and wanted to share. Good luck!

  1. Generate 2048-bit RSA private key:

    openssl genrsa -out key.pem 2048

  2. Generate a Certificate Signing Request:

    openssl req -new -sha256 -key key.pem -out csr.csr

  3. Generate a self-signed x509 certificate suitable for use on web servers.

    openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem

  4. Create SSL identity file in PKCS12 as mentioned here

    openssl pkcs12 -export -out client-identity.p12 -inkey key.pem -in certificate.pem

George.
  • 860
  • 12
  • 15
  • Apparently, when it asks you to enter a password on the 4th command, you're supposed to literally type "password", and then confirm by typing it again. I must be missing something... – Kevin Beal Feb 08 '21 at 19:45
  • @KevinBeal from my understanding, the password it requests is the password used to secure the PKCS12 file. You get to create the password. If someone wanted to open and inspect the PKCS12 file, you would need the password to access the file, I believe. – George. Feb 09 '21 at 16:37
  • In step 3, I was given the option to choose a password. If that's the password you're referring to, it didn't work at all. [This link](https://www.openssl.org/docs/man1.1.0/man1/openssl.html#Pass-Phrase-Options) appears to show that the password is "password". But I know almost nothing about it. – Kevin Beal Feb 10 '21 at 15:35
  • 1
    You can be prompted for a password up to twice. If the input key file requires one you will be prompted for that, then you will be prompted for the password to set on the output `.p12` file. You can avoid the prompt for the latter with `-passout` and the former with `-passin`, see openssl-passphrase](https://www.openssl.org/docs/manmaster/man1/openssl-passphrase-options.html) docs for details (tl;dr `-passout pass:"your password here"`). – sorpigal Feb 16 '22 at 20:14