154

I need to export a .pfx format certificate (from Windows MMC) to .p12 to use in another application. I cant find a way to do this.

Can anyone suggest a method?

Lii
  • 11,553
  • 8
  • 64
  • 88
Tom Squires
  • 8,848
  • 12
  • 46
  • 72

7 Answers7

273

.p12 and .pfx are both PKCS #12 files. Am I missing something?

Have you tried renaming the exported .pfx file to have a .p12 extension?

jglouie
  • 12,523
  • 6
  • 48
  • 65
  • 19
    Makes you wonder why they're are two different file extensions if they're really the same thing under the hood. – BrainSlugs83 Jul 11 '14 at 00:37
  • 51
    The reason there are two file extensions is historical. PFX was a Microsoft extension, while P12 was the Netscape one. Both formats have been adapted now to be identical, meaning that developers are able to use the .NET System.Security.Cryptography.X509Certificates namespace to work with both of them. See [here](https://embeddedtechwire.wordpress.com/2010/09/23/pfx-or-p12-certificates-what-is-the-difference/) for more information. – SnapShot Nov 25 '14 at 13:51
  • 7
    The filename extension for PKCS #12 files is ".p12" or ".pfx". Microsoft's "PFX" has received heavy criticism of being one of the most complex cryptographic protocols. PKCS #12 is the successor to Microsoft's "PFX". PKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories. – AKS Dec 10 '14 at 10:24
  • 2
    renaming is not always working because. for example if you use SoapUI and test it a 2-way authentication it fails. p12 & pfx have history back to Netscape & IE. they are ALMOST the same but not identical files. so some apps can understand both regardless of extension and others need a 100% compatible valid p12 such as SoapUI – M.Hefny Jun 11 '18 at 11:35
  • This has not worked in our case at all. Even though they are supposed both be PCKS12 files, renaming isn't working and I haven't loaded a hex editor to see why that doesn't work. – thepip3r Jul 23 '21 at 16:18
28

I had trouble with a .pfx file with openconnect. Renaming didn't solve the problem. I used keytool to convert it to .p12 and it worked.

keytool -importkeystore -destkeystore new.p12 -deststoretype pkcs12 -srckeystore original.pfx

In my case the password for the new file (new.p12) had to be the same as the password for the .pfx file.

user3113045
  • 3,243
  • 2
  • 16
  • 10
12

If you are looking for a quick and manual process with UI. I always use Mozilla Firefox to convert from PFX to P12. First import the certificate into the Firefox browser (Options > Privacy & Security > View Certificates... > Import...). Once installed, perform the export to create the P12 file by choosing the certificate name from the Certificate Manager and then click Backup... and enter the file name and then enter the password.

Paul Chan
  • 121
  • 1
  • 3
5

This is more of a continuation of jglouie's response.

If you are using openssl to convert the PKCS#12 certificate to public/private PEM keys, there is no need to rename the file. Assuming the file is called cert.pfx, the following three commands will create a public pem key and an encrypted private pem key:

openssl pkcs12 -in cert.pfx     -out cert.pem     -nodes -nokeys
openssl pkcs12 -in cert.pfx     -out cert_key.pem -nodes -nocerts
openssl rsa    -in cert_key.pem -out cert_key.pem -des3

The first two commands may prompt for an import password. This will be a password that was provided with the PKCS#12 file.

The third command will let you specify the encryption passphrase for the certificate. This is what you will enter when using the certificate.

Keith Hanlan
  • 768
  • 7
  • 13
  • The first command overwrites the second, so perhaps just do step 2 and 3. FYI for readers, Des3 is the default encryption for the private key. – makerofthings7 Mar 21 '18 at 16:20
2

Run this command to change .cert file to .p12:

openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt

Where server.key is the server key and server.cert is a CA issue cert or a self sign cert file.

vich
  • 11,836
  • 13
  • 49
  • 66
kishore tiwari
  • 49
  • 1
2

In my case, I wanted to import a .pfx exported from Entrust and import it into gpgsm. gpgsm did not like that PFX:

$ gpgsm --import name.pfx
gpgsm: directory '/home/me/.gnupg' created
gpgsm: keybox '/home/me/.gnupg/pubring.kbx' created
gpgsm: data error at "pkcs5PBES2-params", offset 134
gpgsm: error at "bag-sequence", offset 49
gpgsm: error parsing or decrypting the PKCS#12 file
gpgsm: total number processed: 0

Paul Chan's answer above worked (using Firefox), but I wanted a command line solution.

Inspired by the other answers, I simply tried roundtripping it using openssl pcks12, and it worked:

# Convert pfx to pem
$ openssl pkcs12 -in name.pfx -out name.pem
# Convert pem to p12
openssl pkcs12 -export -in name.pem -out name.p12
$ gpgsm --import name.p12
gpgsm: 2456 bytes of RC2 encrypted text
# ...
gpgsm: total number processed: 3
gpgsm:               imported: 2
gpgsm:       secret keys read: 1
gpgsm:   secret keys imported: 1
philb
  • 2,031
  • 15
  • 20
  • FWIW, with gpgsm 2.2.27, even after roundtripping I got the very same error message. Possibly the default algorithms changed? – Torsten Bronger Jun 10 '22 at 15:43
  • interesting... if I recall correctly that was on Ubuntu 20.04 with GPG and OpenSSL installed from Ubuntu repos, so GPG 2.2.19 and OpenSSL 1.1.1f... – philb Jun 10 '22 at 15:56
1

first We Have certificate.PFX file

Step1: (Extract Private Key)

openssl pkcs12 -in certificate.pfx -nocerts -out private.key -passin pass:123123 -passout pass:123123

Step2: (Create P12 file)

openssl pkcs12 -export -out ewallet.p12 -inkey private.key -in certificate.cer -passin pass:123123 -passout pass:123123
amir
  • 29
  • 2