Learnitweb

What is a PKCS#12 file?

1. Introduction

In cryptography, PKCS #12 specifies a file format designed to securely bundle multiple cryptographic objects into a single archive file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust. A PKCS #12 file may be encrypted and signed. The filename extension for PKCS #12 files is .p12 or .pfx.
These files can be created, parsed and read out with the OpenSSL pkcs12 command.

2. Relationship to PFX file format

  • PFX (Personal Information Exchange): Initially developed by Microsoft as a proprietary format for securely storing and transferring cryptographic objects such as private keys, certificates, and intermediate certificates.
  • PKCS#12 (Public Key Cryptography Standards #12): A standardized version of the PFX format, developed by RSA Security as part of their Public-Key Cryptography Standards (PKCS). PKCS#12 improved and formalized the format for broader compatibility.

Both formats serve the same purpose: to bundle a private key, its corresponding certificate, and optionally a certificate chain into a single password-protected file. The terms “PFX file” and “PKCS#12 file” are often used interchangeably because PKCS#12 is the successor to PFX and most tools treat them as equivalent. Modern software, including OpenSSL, Java Keytool, and certificate management utilities, supports PKCS#12 files and uses extensions like .pfx and .p12 without distinction.

  • .pfx: Historically associated with the older Microsoft format but now commonly used for PKCS#12 files.
  • .p12: More commonly associated with PKCS#12 files, emphasizing their standard-compliance.

In practice, PKCS#12 files are primarily used to store a single private key along with its associated certificate chain, even though the format technically allows for storing multiple cryptographic objects.

3. PKCS#12 and Java

As of Java 9, PKCS #12 is the default keystore format.

A simpler, alternative format to PKCS #12 is PEM which just lists the certificates and possibly private keys as Base 64 strings in a text file. In Java JKS was the default keystore format before PKCS#12. PKCS12 is a standard format, it can be read by other programs and libraries while JKS is Java specific.

4. Converting JKS to PKCS#12

If you want to convert JKS (.jks) Keystore to a PKCS#12 (.p12) Keystore, you can do so by executing the following command.

keytool -importkeystore -srckeystore [MY_KEYSTORE.jks] -destkeystore [MY_FILE.p12] -srcstoretype JKS - deststoretype PKCS12 -deststorepass [PASSWORD_PKCS12]
  • [MY_KEYSTORE.jks]: The path to the Keystore that you want to convert.
  • [MY_FILE.p12]: path to the PKCS12 file (.p12 or .pfx extension) that is going to be created.
  • [PASSWORD_PKCS12]: The password that will be requested at the PKCS12 file opening.