1. Introduction
In cryptography, PKCS #12 specifies a file format designed to securely bundle multiple cryptographic objects into a single archive file. It is commonly used to bundle a private key with its X.509
certificate or to bundle all the members of a chain of trust. A PKCS #12 file may be encrypted and signed. The filename extension for PKCS #12 files is .p12
or .pfx
.
These files can be created, parsed and read out with the OpenSSL pkcs12
command.
2. Relationship to PFX file format
- PFX (Personal Information Exchange): Initially developed by Microsoft as a proprietary format for securely storing and transferring cryptographic objects such as private keys, certificates, and intermediate certificates.
- PKCS#12 (Public Key Cryptography Standards #12): A standardized version of the PFX format, developed by RSA Security as part of their Public-Key Cryptography Standards (PKCS). PKCS#12 improved and formalized the format for broader compatibility.
Both formats serve the same purpose: to bundle a private key, its corresponding certificate, and optionally a certificate chain into a single password-protected file. The terms “PFX file” and “PKCS#12 file” are often used interchangeably because PKCS#12 is the successor to PFX and most tools treat them as equivalent. Modern software, including OpenSSL, Java Keytool, and certificate management utilities, supports PKCS#12 files and uses extensions like .pfx
and .p12
without distinction.
.pfx:
Historically associated with the older Microsoft format but now commonly used for PKCS#12 files..p12:
More commonly associated with PKCS#12 files, emphasizing their standard-compliance.
In practice, PKCS#12 files are primarily used to store a single private key along with its associated certificate chain, even though the format technically allows for storing multiple cryptographic objects.
3. PKCS#12 and Java
As of Java 9, PKCS #12 is the default keystore format.
A simpler, alternative format to PKCS #12 is PEM
which just lists the certificates and possibly private keys as Base 64 strings in a text file. In Java JKS was the default keystore format before PKCS#12. PKCS12 is a standard format, it can be read by other programs and libraries while JKS is Java specific.
4. Converting JKS to PKCS#12
If you want to convert JKS (.jks) Keystore to a PKCS#12 (.p12) Keystore, you can do so by executing the following command.
keytool -importkeystore -srckeystore [MY_KEYSTORE.jks] -destkeystore [MY_FILE.p12] -srcstoretype JKS - deststoretype PKCS12 -deststorepass [PASSWORD_PKCS12]
[MY_KEYSTORE.jks]:
The path to the Keystore that you want to convert.[MY_FILE.p12]:
path to the PKCS12 file (.p12
or.pfx
extension) that is going to be created.[PASSWORD_PKCS12]:
The password that will be requested at the PKCS12 file opening.