Extract public/private key from PKCS12 file for later use in SSH-PK-Authentication

ssh openssl certificate x509 pkcs#12
465,146

Solution 1

You can use following commands to extract public/private key from a PKCS#12 container:

  • PKCS#1 Private key

    openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem

  • Certificates:

    openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem

Solution 2

This is possible with a bit of format conversion.

To extract the private key in a format openssh can use:

openssl pkcs12 -in pkcs12.pfx -nocerts -nodes | openssl rsa > id_rsa

To convert the private key to a public key:

openssl rsa -in id_rsa -pubout | ssh-keygen -f /dev/stdin -i -m PKCS8

To extract the public key in a format openssh can use:

openssl pkcs12 -in pkcs12.pfx -clcerts -nokeys | openssl x509 -pubkey -noout | ssh-keygen -f /dev/stdin -i -m PKCS8

Solution 3

OpenSSH cannot use PKCS#12 files out of the box. As others suggested, you must extract the private key in PEM format which gets you from the land of OpenSSL to OpenSSH. Other solutions mentioned here don’t work for me. I use OS X 10.9 Mavericks (10.9.3 at the moment) with “prepackaged” utilities (OpenSSL 0.9.8y, OpenSSH 6.2p2).

First, extract a private key in PEM format which will be used directly by OpenSSH:

openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts | openssl rsa > ~/.ssh/id_rsa

I strongly suggest to encrypt the private key with password:

openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts | openssl rsa -passout 'pass:Passw0rd!' > ~/.ssh/id_rsa

Obviously, writing a plain-text password on command-line is not safe either, so you should delete the last command from history or just make sure it doesn’t get there. Different shells have different ways. You can prefix your command with space to prevent it from being saved to history in Bash and many other shells. Here is also how to delete the command from history in Bash:

history -d $(history | tail -n 2 | awk 'NR == 1 { print $1 }')

Alternatively, you can use different way to pass a private key password to OpenSSL - consult OpenSSL documentation for pass phrase arguments.

Then, create an OpenSSH public key which can be added to authorized_keys file:

ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

Solution 4

Solution 1:

Extract P12 from jks

keytool -importkeystore -srckeystore MyRootCA.jks -destkeystore MyRootCA.p12 -deststoretype PKCS12

Extract PEM from P12 and Edit file and pem from crt file

openssl pkcs12 -in MyRootCA.p12 -clcerts -nokeys -out MyRootCA.crt

Extract key from jks

openssl pkcs12 -in MyRootCA.p12 -nocerts -out encryptedPrivateKey.pem
openssl rsa -in encryptedPrivateKey.pem -out decryptedPrivateKey.key

Solution 2:

Extract PEM and encryptedPrivateKey to txt file```

openssl pkcs12 -in MyRootCA.p12 -out keys_out.txt

Decrypt privateKey

openssl rsa -in encryptedPrivateKey.key [-outform PEM] -out decryptedPrivateKey.key

Solution 5

Update: I noticed that my answer was just a poor duplicate of a well explained question on https://unix.stackexchange.com/... by BryKKan

Here is an extract from it:

openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key>

openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <clientcert.cer>

openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.cer>
Share:
465,146

Related videos on Youtube

lazydaemon
Author by

lazydaemon

Updated on July 08, 2022

Comments

  • lazydaemon
    lazydaemon almost 2 years

    I want to extract the public and private key from my PKCS#12 file for later use in SSH-Public-Key-Authentication.

    Right now, I'm generating keys via ssh-keygen which I put into .ssh/authorized_key, respective somewhere on the client-side.

    In future, I want to use the keys from a PKCS#12 container, so I've to extract the public-key first from PKCS#12 and then put them into the .ssh/authorized_keys file. Is there any chance to get this working via openssl? Are the keys in PKCS#12 compatible for ssh-public-key authentication?

  • edthethird
    edthethird almost 9 years
    the commands work, but the Private key is exported as PKCS1 format and I need PKCS8... Is there any option I am missing to get this? For example, it exports '-----BEGIN RSA PRIVATE KEY-----' but I need '-----BEGIN PRIVATE KEY-----'
  • Snekse
    Snekse almost 9 years
    What's the | openssl rsa stuff for?
  • F4-Z4
    F4-Z4 almost 9 years
    @Snekse it makes sure there's only private key in the output. In my case, it creates identity file (~/.ssh/id_rsa) with some “cruft” like Bag Attributes without ` | openssl rsa`. I guess OpenSSH and other utilities which use identity file can handle that cruft (I haven’t tried), but I am simply used to provide only the necessary data and nothing more, especially if it's something around security.
  • BillyRayCyrus
    BillyRayCyrus over 8 years
    This answer worked for me to get access to the PEM-format private key in the terminal, which I was able to copy/paste: openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts
  • Francois
    Francois over 8 years
    To do that you could try openssl rsa -in privateKey.pem -out private.pem
  • Christopher K.
    Christopher K. over 8 years
    @edthethird: To get PKCS8, add the -nodes flag
  • nidheeshdas
    nidheeshdas over 8 years
    To export without password, add -passout pass:. It expects the parameter to be in the form pass:mypassword. stackoverflow.com/a/27497899/206277
  • BTC
    BTC over 7 years
    Thank you! The first line was the one I needed. Just the key, unencrypted, so it can be installed via most CDNs automated systems.
  • TecHunter
    TecHunter over 7 years
    @ChristopherK. thanks! that was the good one for me. adding -nodes exports the key correctly
  • ryanc
    ryanc almost 7 years
    @PhilipRego I think you have public and private keys confused. An RSA public key is two values, 'e' the public exponent, and 'n' the modulus - both of which are stored along side the private parts of the key.
  • PatS
    PatS about 6 years
    When answering questions it helps to highlight what the commands are. You can do that by adding three backquotes before and after the command so ```echo hello``` becomes echo hello.
  • mx0
    mx0 over 5 years
    Adding some explanation would make this answer more useful.
  • Styx
    Styx about 5 years
    That should be a comment to accepted answer, not the answer.
  • mlerley
    mlerley over 4 years
    To get the CA certificate, use openssl pkcs12 -in yourP12File.pfx -cacerts -nokeys -out caCert.pem
  • Philip Rego
    Philip Rego over 4 years
    This only exports the first certificate.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Windows 2008R2 CA & OpenSSL CSR: Error parsing CSR ASN1 bad value met
How to create a single line x509 certificate that can be parsed by OpenSSL commandline tool
How to use OpenSSL for self-signed certificates with custom CA and proper SAN settings?
Incorrect Authority Key Identifier on openssl end cert
openssl certificate chain lost when converting from pem to der
OPENSSL Save x509 certificate of a website
OpenSSL x509 Purpose flag "Any Purpose" What is this?
Fingerprint of PEM ssh key
Import of PEM certificate chain and key to Java Keystore
How to verify a X509 certificate in C