Extract public/private key from PKCS12 file for later use in SSH-PK-Authentication
up vote
160
down vote
favorite
I want to extract the public and private key from my PKCS#12 file for later use in SSH-Public-Key-Authentication.
Right now, I'm generating keys via ssh-keygen which I put into .ssh/authorized_key, respective somewhere on the client-side.
In future, I want to use the keys from a PKCS#12 container, so I've to extract the public-key first from PKCS#12 and then put them into the .ssh/authorized_keys-file. Is there any chance to get this working via openssl? Are the keys in PKCS#12 compatible for ssh-public-key authentication?
ssh openssl certificate x509 pkcs#12
edited Oct 12 '17 at 8:28
Cœur
17k9102139
asked Feb 29 '12 at 10:53
lazydaemon
87921012
add a comment |
up vote
160
down vote
favorite
I want to extract the public and private key from my PKCS#12 file for later use in SSH-Public-Key-Authentication.
Right now, I'm generating keys via ssh-keygen which I put into .ssh/authorized_key, respective somewhere on the client-side.
In future, I want to use the keys from a PKCS#12 container, so I've to extract the public-key first from PKCS#12 and then put them into the .ssh/authorized_keys-file. Is there any chance to get this working via openssl? Are the keys in PKCS#12 compatible for ssh-public-key authentication?
ssh openssl certificate x509 pkcs#12
edited Oct 12 '17 at 8:28
Cœur
17k9102139
asked Feb 29 '12 at 10:53
lazydaemon
87921012
add a comment |
up vote
160
down vote
favorite
up vote
160
down vote
favorite
I want to extract the public and private key from my PKCS#12 file for later use in SSH-Public-Key-Authentication.
Right now, I'm generating keys via ssh-keygen which I put into .ssh/authorized_key, respective somewhere on the client-side.
In future, I want to use the keys from a PKCS#12 container, so I've to extract the public-key first from PKCS#12 and then put them into the .ssh/authorized_keys-file. Is there any chance to get this working via openssl? Are the keys in PKCS#12 compatible for ssh-public-key authentication?
ssh openssl certificate x509 pkcs#12
edited Oct 12 '17 at 8:28
Cœur
17k9102139
asked Feb 29 '12 at 10:53
lazydaemon
87921012
I want to extract the public and private key from my PKCS#12 file for later use in SSH-Public-Key-Authentication.
Right now, I'm generating keys via ssh-keygen which I put into .ssh/authorized_key, respective somewhere on the client-side.
In future, I want to use the keys from a PKCS#12 container, so I've to extract the public-key first from PKCS#12 and then put them into the .ssh/authorized_keys-file. Is there any chance to get this working via openssl? Are the keys in PKCS#12 compatible for ssh-public-key authentication?
ssh openssl certificate x509 pkcs#12
ssh openssl certificate x509 pkcs#12
edited Oct 12 '17 at 8:28
Cœur
17k9102139
asked Feb 29 '12 at 10:53
lazydaemon
87921012
edited Oct 12 '17 at 8:28
Cœur
17k9102139
asked Feb 29 '12 at 10:53
lazydaemon
87921012
edited Oct 12 '17 at 8:28
Cœur
17k9102139
edited Oct 12 '17 at 8:28
Cœur
17k9102139
edited Oct 12 '17 at 8:28
Cœur
17k9102139
17k9102139
asked Feb 29 '12 at 10:53
lazydaemon
87921012
asked Feb 29 '12 at 10:53
lazydaemon
87921012
asked Feb 29 '12 at 10:53
lazydaemon
87921012
87921012
add a comment |
add a comment |
6 Answers
6
active
oldest
votes
up vote
241
down vote
accepted
You can use following commands to extract public/private key from a PKCS#12 container:
PKCS#1 Private key
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
Certificates:
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem
edited Oct 27 '17 at 2:23
Franklin Yu
2,60211831
answered Mar 1 '12 at 13:19
Nilesh
4,03221832
6
the commands work, but the Private key is exported as PKCS1 format and I need PKCS8... Is there any option I am missing to get this? For example, it exports '-----BEGIN RSA PRIVATE KEY-----' but I need '-----BEGIN PRIVATE KEY-----'
– edthethird
Aug 27 '15 at 17:27
4
To do that you could tryopenssl rsa -in privateKey.pem -out private.pem
– Francois
Nov 12 '15 at 14:56
22
@edthethird: To get PKCS8, add the -nodes flag
– Christopher K.
Nov 19 '15 at 12:13
7
To export without password, add-passout pass:. It expects the parameter to be in the form pass:mypassword. stackoverflow.com/a/27497899/206277
– nidheeshdas
Feb 7 '16 at 7:01
1
@ChristopherK. thanks! that was the good one for me. adding-nodesexports the key correctly
– TecHunter
Feb 17 '17 at 9:49
add a comment |
up vote
74
down vote
This is possible with a bit of format conversion.
To extract the private key in a format openssh can use:
openssl pkcs12 -in pkcs12.pfx -nocerts -nodes | openssl rsa > id_rsa
To convert the private key to a public key:
openssl rsa -in id_rsa -pubout | ssh-keygen -f /dev/stdin -i -m PKCS8
To extract the public key in a format openssh can use:
openssl pkcs12 -in pkcs12.pfx -clcerts -nokeys | openssl x509 -pubkey -noout | ssh-keygen -f /dev/stdin -i -m PKCS8
answered Mar 15 '12 at 16:28
ryanc
1,003814
1
Thank you! The first line was the one I needed. Just the key, unencrypted, so it can be installed via most CDNs automated systems.
– BTC
Jan 25 '17 at 21:47
1
@PhilipRego I think you have public and private keys confused. An RSA public key is two values, 'e' the public exponent, and 'n' the modulus - both of which are stored along side the private parts of the key.
– ryanc
Jul 19 '17 at 23:47
add a comment |
up vote
11
down vote
OpenSSH cannot use PKCS#12 files out of the box. As others suggested, you must extract the private key in PEM format which gets you from the land of OpenSSL to OpenSSH. Other solutions mentioned here don’t work for me. I use OS X 10.9 Mavericks (10.9.3 at the moment) with “prepackaged” utilities (OpenSSL 0.9.8y, OpenSSH 6.2p2).
First, extract a private key in PEM format which will be used directly by OpenSSH:
openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts | openssl rsa > ~/.ssh/id_rsa
I strongly suggest to encrypt the private key with password:
openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts | openssl rsa -passout 'pass:Passw0rd!' > ~/.ssh/id_rsa
Obviously, writing a plain-text password on command-line is not safe either, so you should delete the last command from history or just make sure it doesn’t get there. Different shells have different ways. You can prefix your command with space to prevent it from being saved to history in Bash and many other shells. Here is also how to delete the command from history in Bash:
history -d $(history | tail -n 2 | awk 'NR == 1 { print $1 }')
Alternatively, you can use different way to pass a private key password to OpenSSL - consult OpenSSL documentation for pass phrase arguments.
Then, create an OpenSSH public key which can be added to authorized_keys file:
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
answered Jun 5 '14 at 20:46
frzng
35127
What's the| openssl rsastuff for?
– Snekse
Sep 17 '15 at 0:15
1
@Snekse it makes sure there's only private key in the output. In my case, it creates identity file (~/.ssh/id_rsa) with some “cruft” like Bag Attributes without ` | openssl rsa`. I guess OpenSSH and other utilities which use identity file can handle that cruft (I haven’t tried), but I am simply used to provide only the necessary data and nothing more, especially if it's something around security.
– frzng
Sep 23 '15 at 12:11
1
This answer worked for me to get access to the PEM-format private key in the terminal, which I was able to copy/paste:openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts
– BillyRayCyrus
Sep 30 '15 at 18:46
add a comment |
up vote
4
down vote
Solution 1:
Extract P12 from jks
keytool -importkeystore -srckeystore MyRootCA.jks -destkeystore MyRootCA.p12 -deststoretype PKCS12
Extract PEM from P12 and Edit file and pem from crt file
openssl pkcs12 -in MyRootCA.p12 -clcerts -nokeys -out MyRootCA.crt
Extract key from jks
openssl pkcs12 -in MyRootCA.p12 -nocerts -out encryptedPrivateKey.pem
openssl rsa -in encryptedPrivateKey.pem -out decryptedPrivateKey.key
Solution 2:
Extract PEM and encryptedPrivateKey to txt file```
openssl pkcs12 -in MyRootCA.p12 -out keys_out.txt
Decrypt privateKey
openssl rsa -in encryptedPrivateKey.key [-outform PEM] -out decryptedPrivateKey.key
edited Jun 21 at 16:45
Dan Atkinson
8,8751074103
answered Feb 22 at 13:22
Ali Alimohammadi
826
When answering questions it helps to highlight what the commands are. You can do that by adding three backquotes before and after the command so ```echo hello``` becomesecho hello.
– PatS
Jun 1 at 15:17
add a comment |
up vote
0
down vote
As far as I know PKCS#12 is just a certificate/public/private key store. If you extracted a public key from PKCS#12 file, OpenSSH should be able to use it as long as it was extracted in PEM format. You probably already know that you also need a corresponding private key (also in PEM) in order to use it for ssh-public-key authentication.
edited Oct 12 '17 at 8:29
Cœur
17k9102139
answered Feb 29 '12 at 22:15
sirgeorge
5,0322132
add a comment |
up vote
0
down vote
Update: I noticed that my answer was just a poor duplicate of a well explained question on https://unix.stackexchange.com/... by BryKKan
Here is an extract from it:
openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key>
openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <clientcert.cer>
openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.cer>
answered Nov 15 at 12:55
gvlax
431314
1
Adding some explanation would make this answer more useful.
– mx0
Nov 15 at 18:03
add a comment |
6 Answers
6
active
oldest
votes
6 Answers
6
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
241
down vote
accepted
You can use following commands to extract public/private key from a PKCS#12 container:
PKCS#1 Private key
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
Certificates:
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem
edited Oct 27 '17 at 2:23
Franklin Yu
2,60211831
answered Mar 1 '12 at 13:19
Nilesh
4,03221832
6
the commands work, but the Private key is exported as PKCS1 format and I need PKCS8... Is there any option I am missing to get this? For example, it exports '-----BEGIN RSA PRIVATE KEY-----' but I need '-----BEGIN PRIVATE KEY-----'
– edthethird
Aug 27 '15 at 17:27
4
To do that you could tryopenssl rsa -in privateKey.pem -out private.pem
– Francois
Nov 12 '15 at 14:56
22
@edthethird: To get PKCS8, add the -nodes flag
– Christopher K.
Nov 19 '15 at 12:13
7
To export without password, add-passout pass:. It expects the parameter to be in the form pass:mypassword. stackoverflow.com/a/27497899/206277
– nidheeshdas
Feb 7 '16 at 7:01
1
@ChristopherK. thanks! that was the good one for me. adding-nodesexports the key correctly
– TecHunter
Feb 17 '17 at 9:49
add a comment |
up vote
241
down vote
accepted
You can use following commands to extract public/private key from a PKCS#12 container:
PKCS#1 Private key
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
Certificates:
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem
edited Oct 27 '17 at 2:23
Franklin Yu
2,60211831
answered Mar 1 '12 at 13:19
Nilesh
4,03221832
6
the commands work, but the Private key is exported as PKCS1 format and I need PKCS8... Is there any option I am missing to get this? For example, it exports '-----BEGIN RSA PRIVATE KEY-----' but I need '-----BEGIN PRIVATE KEY-----'
– edthethird
Aug 27 '15 at 17:27
4
To do that you could tryopenssl rsa -in privateKey.pem -out private.pem
– Francois
Nov 12 '15 at 14:56
22
@edthethird: To get PKCS8, add the -nodes flag
– Christopher K.
Nov 19 '15 at 12:13
7
To export without password, add-passout pass:. It expects the parameter to be in the form pass:mypassword. stackoverflow.com/a/27497899/206277
– nidheeshdas
Feb 7 '16 at 7:01
1
@ChristopherK. thanks! that was the good one for me. adding-nodesexports the key correctly
– TecHunter
Feb 17 '17 at 9:49
add a comment |
up vote
241
down vote
accepted
up vote
241
down vote
accepted
You can use following commands to extract public/private key from a PKCS#12 container:
PKCS#1 Private key
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
Certificates:
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem
edited Oct 27 '17 at 2:23
Franklin Yu
2,60211831
answered Mar 1 '12 at 13:19
Nilesh
4,03221832
You can use following commands to extract public/private key from a PKCS#12 container:
PKCS#1 Private key
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
Certificates:
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem
edited Oct 27 '17 at 2:23
Franklin Yu
2,60211831
answered Mar 1 '12 at 13:19
Nilesh
4,03221832
edited Oct 27 '17 at 2:23
Franklin Yu
2,60211831
edited Oct 27 '17 at 2:23
Franklin Yu
2,60211831
edited Oct 27 '17 at 2:23
Franklin Yu
2,60211831
2,60211831
answered Mar 1 '12 at 13:19
Nilesh
4,03221832
answered Mar 1 '12 at 13:19
Nilesh
4,03221832
answered Mar 1 '12 at 13:19
Nilesh
4,03221832
4,03221832
6
the commands work, but the Private key is exported as PKCS1 format and I need PKCS8... Is there any option I am missing to get this? For example, it exports '-----BEGIN RSA PRIVATE KEY-----' but I need '-----BEGIN PRIVATE KEY-----'
– edthethird
Aug 27 '15 at 17:27
4
To do that you could tryopenssl rsa -in privateKey.pem -out private.pem
– Francois
Nov 12 '15 at 14:56
22
@edthethird: To get PKCS8, add the -nodes flag
– Christopher K.
Nov 19 '15 at 12:13
7
To export without password, add-passout pass:. It expects the parameter to be in the form pass:mypassword. stackoverflow.com/a/27497899/206277
– nidheeshdas
Feb 7 '16 at 7:01
1
@ChristopherK. thanks! that was the good one for me. adding-nodesexports the key correctly
– TecHunter
Feb 17 '17 at 9:49
add a comment |
6
the commands work, but the Private key is exported as PKCS1 format and I need PKCS8... Is there any option I am missing to get this? For example, it exports '-----BEGIN RSA PRIVATE KEY-----' but I need '-----BEGIN PRIVATE KEY-----'
– edthethird
Aug 27 '15 at 17:27
4
To do that you could tryopenssl rsa -in privateKey.pem -out private.pem
– Francois
Nov 12 '15 at 14:56
22
@edthethird: To get PKCS8, add the -nodes flag
– Christopher K.
Nov 19 '15 at 12:13
7
To export without password, add-passout pass:. It expects the parameter to be in the form pass:mypassword. stackoverflow.com/a/27497899/206277
– nidheeshdas
Feb 7 '16 at 7:01
1
@ChristopherK. thanks! that was the good one for me. adding-nodesexports the key correctly
– TecHunter
Feb 17 '17 at 9:49
6
6
the commands work, but the Private key is exported as PKCS1 format and I need PKCS8... Is there any option I am missing to get this? For example, it exports '-----BEGIN RSA PRIVATE KEY-----' but I need '-----BEGIN PRIVATE KEY-----'
– edthethird
Aug 27 '15 at 17:27
the commands work, but the Private key is exported as PKCS1 format and I need PKCS8... Is there any option I am missing to get this? For example, it exports '-----BEGIN RSA PRIVATE KEY-----' but I need '-----BEGIN PRIVATE KEY-----'
– edthethird
Aug 27 '15 at 17:27
4
4
To do that you could try
openssl rsa -in privateKey.pem -out private.pem– Francois
Nov 12 '15 at 14:56
To do that you could try
openssl rsa -in privateKey.pem -out private.pem– Francois
Nov 12 '15 at 14:56
22
22
@edthethird: To get PKCS8, add the -nodes flag
– Christopher K.
Nov 19 '15 at 12:13
@edthethird: To get PKCS8, add the -nodes flag
– Christopher K.
Nov 19 '15 at 12:13
7
7
To export without password, add
-passout pass:. It expects the parameter to be in the form pass:mypassword. stackoverflow.com/a/27497899/206277– nidheeshdas
Feb 7 '16 at 7:01
To export without password, add
-passout pass:. It expects the parameter to be in the form pass:mypassword. stackoverflow.com/a/27497899/206277– nidheeshdas
Feb 7 '16 at 7:01
1
1
@ChristopherK. thanks! that was the good one for me. adding
-nodes exports the key correctly– TecHunter
Feb 17 '17 at 9:49
@ChristopherK. thanks! that was the good one for me. adding
-nodes exports the key correctly– TecHunter
Feb 17 '17 at 9:49
add a comment |
up vote
74
down vote
This is possible with a bit of format conversion.
To extract the private key in a format openssh can use:
openssl pkcs12 -in pkcs12.pfx -nocerts -nodes | openssl rsa > id_rsa
To convert the private key to a public key:
openssl rsa -in id_rsa -pubout | ssh-keygen -f /dev/stdin -i -m PKCS8
To extract the public key in a format openssh can use:
openssl pkcs12 -in pkcs12.pfx -clcerts -nokeys | openssl x509 -pubkey -noout | ssh-keygen -f /dev/stdin -i -m PKCS8
answered Mar 15 '12 at 16:28
ryanc
1,003814
1
Thank you! The first line was the one I needed. Just the key, unencrypted, so it can be installed via most CDNs automated systems.
– BTC
Jan 25 '17 at 21:47
1
@PhilipRego I think you have public and private keys confused. An RSA public key is two values, 'e' the public exponent, and 'n' the modulus - both of which are stored along side the private parts of the key.
– ryanc
Jul 19 '17 at 23:47
add a comment |
up vote
74
down vote
This is possible with a bit of format conversion.
To extract the private key in a format openssh can use:
openssl pkcs12 -in pkcs12.pfx -nocerts -nodes | openssl rsa > id_rsa
To convert the private key to a public key:
openssl rsa -in id_rsa -pubout | ssh-keygen -f /dev/stdin -i -m PKCS8
To extract the public key in a format openssh can use:
openssl pkcs12 -in pkcs12.pfx -clcerts -nokeys | openssl x509 -pubkey -noout | ssh-keygen -f /dev/stdin -i -m PKCS8
answered Mar 15 '12 at 16:28
ryanc
1,003814
1
Thank you! The first line was the one I needed. Just the key, unencrypted, so it can be installed via most CDNs automated systems.
– BTC
Jan 25 '17 at 21:47
1
@PhilipRego I think you have public and private keys confused. An RSA public key is two values, 'e' the public exponent, and 'n' the modulus - both of which are stored along side the private parts of the key.
– ryanc
Jul 19 '17 at 23:47
add a comment |
up vote
74
down vote
up vote
74
down vote
This is possible with a bit of format conversion.
To extract the private key in a format openssh can use:
openssl pkcs12 -in pkcs12.pfx -nocerts -nodes | openssl rsa > id_rsa
To convert the private key to a public key:
openssl rsa -in id_rsa -pubout | ssh-keygen -f /dev/stdin -i -m PKCS8
To extract the public key in a format openssh can use:
openssl pkcs12 -in pkcs12.pfx -clcerts -nokeys | openssl x509 -pubkey -noout | ssh-keygen -f /dev/stdin -i -m PKCS8
answered Mar 15 '12 at 16:28
ryanc
1,003814
This is possible with a bit of format conversion.
To extract the private key in a format openssh can use:
openssl pkcs12 -in pkcs12.pfx -nocerts -nodes | openssl rsa > id_rsa
To convert the private key to a public key:
openssl rsa -in id_rsa -pubout | ssh-keygen -f /dev/stdin -i -m PKCS8
To extract the public key in a format openssh can use:
openssl pkcs12 -in pkcs12.pfx -clcerts -nokeys | openssl x509 -pubkey -noout | ssh-keygen -f /dev/stdin -i -m PKCS8
answered Mar 15 '12 at 16:28
ryanc
1,003814
answered Mar 15 '12 at 16:28
ryanc
1,003814
answered Mar 15 '12 at 16:28
ryanc
1,003814
answered Mar 15 '12 at 16:28
ryanc
1,003814
1,003814
1
Thank you! The first line was the one I needed. Just the key, unencrypted, so it can be installed via most CDNs automated systems.
– BTC
Jan 25 '17 at 21:47
1
@PhilipRego I think you have public and private keys confused. An RSA public key is two values, 'e' the public exponent, and 'n' the modulus - both of which are stored along side the private parts of the key.
– ryanc
Jul 19 '17 at 23:47
add a comment |
1
Thank you! The first line was the one I needed. Just the key, unencrypted, so it can be installed via most CDNs automated systems.
– BTC
Jan 25 '17 at 21:47
1
@PhilipRego I think you have public and private keys confused. An RSA public key is two values, 'e' the public exponent, and 'n' the modulus - both of which are stored along side the private parts of the key.
– ryanc
Jul 19 '17 at 23:47
1
1
Thank you! The first line was the one I needed. Just the key, unencrypted, so it can be installed via most CDNs automated systems.
– BTC
Jan 25 '17 at 21:47
Thank you! The first line was the one I needed. Just the key, unencrypted, so it can be installed via most CDNs automated systems.
– BTC
Jan 25 '17 at 21:47
1
1
@PhilipRego I think you have public and private keys confused. An RSA public key is two values, 'e' the public exponent, and 'n' the modulus - both of which are stored along side the private parts of the key.
– ryanc
Jul 19 '17 at 23:47
@PhilipRego I think you have public and private keys confused. An RSA public key is two values, 'e' the public exponent, and 'n' the modulus - both of which are stored along side the private parts of the key.
– ryanc
Jul 19 '17 at 23:47
add a comment |
up vote
11
down vote
OpenSSH cannot use PKCS#12 files out of the box. As others suggested, you must extract the private key in PEM format which gets you from the land of OpenSSL to OpenSSH. Other solutions mentioned here don’t work for me. I use OS X 10.9 Mavericks (10.9.3 at the moment) with “prepackaged” utilities (OpenSSL 0.9.8y, OpenSSH 6.2p2).
First, extract a private key in PEM format which will be used directly by OpenSSH:
openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts | openssl rsa > ~/.ssh/id_rsa
I strongly suggest to encrypt the private key with password:
openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts | openssl rsa -passout 'pass:Passw0rd!' > ~/.ssh/id_rsa
Obviously, writing a plain-text password on command-line is not safe either, so you should delete the last command from history or just make sure it doesn’t get there. Different shells have different ways. You can prefix your command with space to prevent it from being saved to history in Bash and many other shells. Here is also how to delete the command from history in Bash:
history -d $(history | tail -n 2 | awk 'NR == 1 { print $1 }')
Alternatively, you can use different way to pass a private key password to OpenSSL - consult OpenSSL documentation for pass phrase arguments.
Then, create an OpenSSH public key which can be added to authorized_keys file:
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
answered Jun 5 '14 at 20:46
frzng
35127
What's the| openssl rsastuff for?
– Snekse
Sep 17 '15 at 0:15
1
@Snekse it makes sure there's only private key in the output. In my case, it creates identity file (~/.ssh/id_rsa) with some “cruft” like Bag Attributes without ` | openssl rsa`. I guess OpenSSH and other utilities which use identity file can handle that cruft (I haven’t tried), but I am simply used to provide only the necessary data and nothing more, especially if it's something around security.
– frzng
Sep 23 '15 at 12:11
1
This answer worked for me to get access to the PEM-format private key in the terminal, which I was able to copy/paste:openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts
– BillyRayCyrus
Sep 30 '15 at 18:46
add a comment |
up vote
11
down vote
OpenSSH cannot use PKCS#12 files out of the box. As others suggested, you must extract the private key in PEM format which gets you from the land of OpenSSL to OpenSSH. Other solutions mentioned here don’t work for me. I use OS X 10.9 Mavericks (10.9.3 at the moment) with “prepackaged” utilities (OpenSSL 0.9.8y, OpenSSH 6.2p2).
First, extract a private key in PEM format which will be used directly by OpenSSH:
openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts | openssl rsa > ~/.ssh/id_rsa
I strongly suggest to encrypt the private key with password:
openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts | openssl rsa -passout 'pass:Passw0rd!' > ~/.ssh/id_rsa
Obviously, writing a plain-text password on command-line is not safe either, so you should delete the last command from history or just make sure it doesn’t get there. Different shells have different ways. You can prefix your command with space to prevent it from being saved to history in Bash and many other shells. Here is also how to delete the command from history in Bash:
history -d $(history | tail -n 2 | awk 'NR == 1 { print $1 }')
Alternatively, you can use different way to pass a private key password to OpenSSL - consult OpenSSL documentation for pass phrase arguments.
Then, create an OpenSSH public key which can be added to authorized_keys file:
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
answered Jun 5 '14 at 20:46
frzng
35127
What's the| openssl rsastuff for?
– Snekse
Sep 17 '15 at 0:15
1
@Snekse it makes sure there's only private key in the output. In my case, it creates identity file (~/.ssh/id_rsa) with some “cruft” like Bag Attributes without ` | openssl rsa`. I guess OpenSSH and other utilities which use identity file can handle that cruft (I haven’t tried), but I am simply used to provide only the necessary data and nothing more, especially if it's something around security.
– frzng
Sep 23 '15 at 12:11
1
This answer worked for me to get access to the PEM-format private key in the terminal, which I was able to copy/paste:openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts
– BillyRayCyrus
Sep 30 '15 at 18:46
add a comment |
up vote
11
down vote
up vote
11
down vote
OpenSSH cannot use PKCS#12 files out of the box. As others suggested, you must extract the private key in PEM format which gets you from the land of OpenSSL to OpenSSH. Other solutions mentioned here don’t work for me. I use OS X 10.9 Mavericks (10.9.3 at the moment) with “prepackaged” utilities (OpenSSL 0.9.8y, OpenSSH 6.2p2).
First, extract a private key in PEM format which will be used directly by OpenSSH:
openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts | openssl rsa > ~/.ssh/id_rsa
I strongly suggest to encrypt the private key with password:
openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts | openssl rsa -passout 'pass:Passw0rd!' > ~/.ssh/id_rsa
Obviously, writing a plain-text password on command-line is not safe either, so you should delete the last command from history or just make sure it doesn’t get there. Different shells have different ways. You can prefix your command with space to prevent it from being saved to history in Bash and many other shells. Here is also how to delete the command from history in Bash:
history -d $(history | tail -n 2 | awk 'NR == 1 { print $1 }')
Alternatively, you can use different way to pass a private key password to OpenSSL - consult OpenSSL documentation for pass phrase arguments.
Then, create an OpenSSH public key which can be added to authorized_keys file:
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
answered Jun 5 '14 at 20:46
frzng
35127
OpenSSH cannot use PKCS#12 files out of the box. As others suggested, you must extract the private key in PEM format which gets you from the land of OpenSSL to OpenSSH. Other solutions mentioned here don’t work for me. I use OS X 10.9 Mavericks (10.9.3 at the moment) with “prepackaged” utilities (OpenSSL 0.9.8y, OpenSSH 6.2p2).
First, extract a private key in PEM format which will be used directly by OpenSSH:
openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts | openssl rsa > ~/.ssh/id_rsa
I strongly suggest to encrypt the private key with password:
openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts | openssl rsa -passout 'pass:Passw0rd!' > ~/.ssh/id_rsa
Obviously, writing a plain-text password on command-line is not safe either, so you should delete the last command from history or just make sure it doesn’t get there. Different shells have different ways. You can prefix your command with space to prevent it from being saved to history in Bash and many other shells. Here is also how to delete the command from history in Bash:
history -d $(history | tail -n 2 | awk 'NR == 1 { print $1 }')
Alternatively, you can use different way to pass a private key password to OpenSSL - consult OpenSSL documentation for pass phrase arguments.
Then, create an OpenSSH public key which can be added to authorized_keys file:
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
answered Jun 5 '14 at 20:46
frzng
35127
edited 3 hours ago
answered Jun 5 '14 at 20:46
frzng
35127
answered Jun 5 '14 at 20:46
frzng
35127
answered Jun 5 '14 at 20:46
frzng
35127
35127
What's the| openssl rsastuff for?
– Snekse
Sep 17 '15 at 0:15
1
@Snekse it makes sure there's only private key in the output. In my case, it creates identity file (~/.ssh/id_rsa) with some “cruft” like Bag Attributes without ` | openssl rsa`. I guess OpenSSH and other utilities which use identity file can handle that cruft (I haven’t tried), but I am simply used to provide only the necessary data and nothing more, especially if it's something around security.
– frzng
Sep 23 '15 at 12:11
1
This answer worked for me to get access to the PEM-format private key in the terminal, which I was able to copy/paste:openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts
– BillyRayCyrus
Sep 30 '15 at 18:46
add a comment |
What's the| openssl rsastuff for?
– Snekse
Sep 17 '15 at 0:15
1
@Snekse it makes sure there's only private key in the output. In my case, it creates identity file (~/.ssh/id_rsa) with some “cruft” like Bag Attributes without ` | openssl rsa`. I guess OpenSSH and other utilities which use identity file can handle that cruft (I haven’t tried), but I am simply used to provide only the necessary data and nothing more, especially if it's something around security.
– frzng
Sep 23 '15 at 12:11
1
This answer worked for me to get access to the PEM-format private key in the terminal, which I was able to copy/paste:openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts
– BillyRayCyrus
Sep 30 '15 at 18:46
What's the
| openssl rsa stuff for?– Snekse
Sep 17 '15 at 0:15
What's the
| openssl rsa stuff for?– Snekse
Sep 17 '15 at 0:15
1
1
@Snekse it makes sure there's only private key in the output. In my case, it creates identity file (
~/.ssh/id_rsa) with some “cruft” like Bag Attributes without ` | openssl rsa`. I guess OpenSSH and other utilities which use identity file can handle that cruft (I haven’t tried), but I am simply used to provide only the necessary data and nothing more, especially if it's something around security.– frzng
Sep 23 '15 at 12:11
@Snekse it makes sure there's only private key in the output. In my case, it creates identity file (
~/.ssh/id_rsa) with some “cruft” like Bag Attributes without ` | openssl rsa`. I guess OpenSSH and other utilities which use identity file can handle that cruft (I haven’t tried), but I am simply used to provide only the necessary data and nothing more, especially if it's something around security.– frzng
Sep 23 '15 at 12:11
1
1
This answer worked for me to get access to the PEM-format private key in the terminal, which I was able to copy/paste:
openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts– BillyRayCyrus
Sep 30 '15 at 18:46
This answer worked for me to get access to the PEM-format private key in the terminal, which I was able to copy/paste:
openssl pkcs12 -in filename.p12 -clcerts -nodes -nocerts– BillyRayCyrus
Sep 30 '15 at 18:46
add a comment |
up vote
4
down vote
Solution 1:
Extract P12 from jks
keytool -importkeystore -srckeystore MyRootCA.jks -destkeystore MyRootCA.p12 -deststoretype PKCS12
Extract PEM from P12 and Edit file and pem from crt file
openssl pkcs12 -in MyRootCA.p12 -clcerts -nokeys -out MyRootCA.crt
Extract key from jks
openssl pkcs12 -in MyRootCA.p12 -nocerts -out encryptedPrivateKey.pem
openssl rsa -in encryptedPrivateKey.pem -out decryptedPrivateKey.key
Solution 2:
Extract PEM and encryptedPrivateKey to txt file```
openssl pkcs12 -in MyRootCA.p12 -out keys_out.txt
Decrypt privateKey
openssl rsa -in encryptedPrivateKey.key [-outform PEM] -out decryptedPrivateKey.key
edited Jun 21 at 16:45
Dan Atkinson
8,8751074103
answered Feb 22 at 13:22
Ali Alimohammadi
826
When answering questions it helps to highlight what the commands are. You can do that by adding three backquotes before and after the command so ```echo hello``` becomesecho hello.
– PatS
Jun 1 at 15:17
add a comment |
up vote
4
down vote
Solution 1:
Extract P12 from jks
keytool -importkeystore -srckeystore MyRootCA.jks -destkeystore MyRootCA.p12 -deststoretype PKCS12
Extract PEM from P12 and Edit file and pem from crt file
openssl pkcs12 -in MyRootCA.p12 -clcerts -nokeys -out MyRootCA.crt
Extract key from jks
openssl pkcs12 -in MyRootCA.p12 -nocerts -out encryptedPrivateKey.pem
openssl rsa -in encryptedPrivateKey.pem -out decryptedPrivateKey.key
Solution 2:
Extract PEM and encryptedPrivateKey to txt file```
openssl pkcs12 -in MyRootCA.p12 -out keys_out.txt
Decrypt privateKey
openssl rsa -in encryptedPrivateKey.key [-outform PEM] -out decryptedPrivateKey.key
edited Jun 21 at 16:45
Dan Atkinson
8,8751074103
answered Feb 22 at 13:22
Ali Alimohammadi
826
When answering questions it helps to highlight what the commands are. You can do that by adding three backquotes before and after the command so ```echo hello``` becomesecho hello.
– PatS
Jun 1 at 15:17
add a comment |
up vote
4
down vote
up vote
4
down vote
Solution 1:
Extract P12 from jks
keytool -importkeystore -srckeystore MyRootCA.jks -destkeystore MyRootCA.p12 -deststoretype PKCS12
Extract PEM from P12 and Edit file and pem from crt file
openssl pkcs12 -in MyRootCA.p12 -clcerts -nokeys -out MyRootCA.crt
Extract key from jks
openssl pkcs12 -in MyRootCA.p12 -nocerts -out encryptedPrivateKey.pem
openssl rsa -in encryptedPrivateKey.pem -out decryptedPrivateKey.key
Solution 2:
Extract PEM and encryptedPrivateKey to txt file```
openssl pkcs12 -in MyRootCA.p12 -out keys_out.txt
Decrypt privateKey
openssl rsa -in encryptedPrivateKey.key [-outform PEM] -out decryptedPrivateKey.key
edited Jun 21 at 16:45
Dan Atkinson
8,8751074103
answered Feb 22 at 13:22
Ali Alimohammadi
826
Solution 1:
Extract P12 from jks
keytool -importkeystore -srckeystore MyRootCA.jks -destkeystore MyRootCA.p12 -deststoretype PKCS12
Extract PEM from P12 and Edit file and pem from crt file
openssl pkcs12 -in MyRootCA.p12 -clcerts -nokeys -out MyRootCA.crt
Extract key from jks
openssl pkcs12 -in MyRootCA.p12 -nocerts -out encryptedPrivateKey.pem
openssl rsa -in encryptedPrivateKey.pem -out decryptedPrivateKey.key
Solution 2:
Extract PEM and encryptedPrivateKey to txt file```
openssl pkcs12 -in MyRootCA.p12 -out keys_out.txt
Decrypt privateKey
openssl rsa -in encryptedPrivateKey.key [-outform PEM] -out decryptedPrivateKey.key
edited Jun 21 at 16:45
Dan Atkinson
8,8751074103
answered Feb 22 at 13:22
Ali Alimohammadi
826
edited Jun 21 at 16:45
Dan Atkinson
8,8751074103
edited Jun 21 at 16:45
Dan Atkinson
8,8751074103
edited Jun 21 at 16:45
Dan Atkinson
8,8751074103
8,8751074103
answered Feb 22 at 13:22
Ali Alimohammadi
826
answered Feb 22 at 13:22
Ali Alimohammadi
826
answered Feb 22 at 13:22
Ali Alimohammadi
826
826
When answering questions it helps to highlight what the commands are. You can do that by adding three backquotes before and after the command so ```echo hello``` becomesecho hello.
– PatS
Jun 1 at 15:17
add a comment |
When answering questions it helps to highlight what the commands are. You can do that by adding three backquotes before and after the command so ```echo hello``` becomesecho hello.
– PatS
Jun 1 at 15:17
When answering questions it helps to highlight what the commands are. You can do that by adding three backquotes before and after the command so ```echo hello``` becomes
echo hello.– PatS
Jun 1 at 15:17
When answering questions it helps to highlight what the commands are. You can do that by adding three backquotes before and after the command so ```echo hello``` becomes
echo hello.– PatS
Jun 1 at 15:17
add a comment |
up vote
0
down vote
As far as I know PKCS#12 is just a certificate/public/private key store. If you extracted a public key from PKCS#12 file, OpenSSH should be able to use it as long as it was extracted in PEM format. You probably already know that you also need a corresponding private key (also in PEM) in order to use it for ssh-public-key authentication.
edited Oct 12 '17 at 8:29
Cœur
17k9102139
answered Feb 29 '12 at 22:15
sirgeorge
5,0322132
add a comment |
up vote
0
down vote
As far as I know PKCS#12 is just a certificate/public/private key store. If you extracted a public key from PKCS#12 file, OpenSSH should be able to use it as long as it was extracted in PEM format. You probably already know that you also need a corresponding private key (also in PEM) in order to use it for ssh-public-key authentication.
edited Oct 12 '17 at 8:29
Cœur
17k9102139
answered Feb 29 '12 at 22:15
sirgeorge
5,0322132
add a comment |
up vote
0
down vote
up vote
0
down vote
As far as I know PKCS#12 is just a certificate/public/private key store. If you extracted a public key from PKCS#12 file, OpenSSH should be able to use it as long as it was extracted in PEM format. You probably already know that you also need a corresponding private key (also in PEM) in order to use it for ssh-public-key authentication.
edited Oct 12 '17 at 8:29
Cœur
17k9102139
answered Feb 29 '12 at 22:15
sirgeorge
5,0322132
As far as I know PKCS#12 is just a certificate/public/private key store. If you extracted a public key from PKCS#12 file, OpenSSH should be able to use it as long as it was extracted in PEM format. You probably already know that you also need a corresponding private key (also in PEM) in order to use it for ssh-public-key authentication.
edited Oct 12 '17 at 8:29
Cœur
17k9102139
answered Feb 29 '12 at 22:15
sirgeorge
5,0322132
edited Oct 12 '17 at 8:29
Cœur
17k9102139
edited Oct 12 '17 at 8:29
Cœur
17k9102139
edited Oct 12 '17 at 8:29
Cœur
17k9102139
17k9102139
answered Feb 29 '12 at 22:15
sirgeorge
5,0322132
answered Feb 29 '12 at 22:15
sirgeorge
5,0322132
answered Feb 29 '12 at 22:15
sirgeorge
5,0322132
5,0322132
add a comment |
add a comment |
up vote
0
down vote
Update: I noticed that my answer was just a poor duplicate of a well explained question on https://unix.stackexchange.com/... by BryKKan
Here is an extract from it:
openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key>
openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <clientcert.cer>
openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.cer>
answered Nov 15 at 12:55
gvlax
431314
1
Adding some explanation would make this answer more useful.
– mx0
Nov 15 at 18:03
add a comment |
up vote
0
down vote
Update: I noticed that my answer was just a poor duplicate of a well explained question on https://unix.stackexchange.com/... by BryKKan
Here is an extract from it:
openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key>
openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <clientcert.cer>
openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.cer>
answered Nov 15 at 12:55
gvlax
431314
1
Adding some explanation would make this answer more useful.
– mx0
Nov 15 at 18:03
add a comment |
up vote
0
down vote
up vote
0
down vote
Update: I noticed that my answer was just a poor duplicate of a well explained question on https://unix.stackexchange.com/... by BryKKan
Here is an extract from it:
openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key>
openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <clientcert.cer>
openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.cer>
answered Nov 15 at 12:55
gvlax
431314
Update: I noticed that my answer was just a poor duplicate of a well explained question on https://unix.stackexchange.com/... by BryKKan
Here is an extract from it:
openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key>
openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <clientcert.cer>
openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.cer>
answered Nov 15 at 12:55
gvlax
431314
edited Nov 16 at 9:50
answered Nov 15 at 12:55
gvlax
431314
answered Nov 15 at 12:55
gvlax
431314
answered Nov 15 at 12:55
gvlax
431314
431314
1
Adding some explanation would make this answer more useful.
– mx0
Nov 15 at 18:03
add a comment |
1
Adding some explanation would make this answer more useful.
– mx0
Nov 15 at 18:03
1
1
Adding some explanation would make this answer more useful.
– mx0
Nov 15 at 18:03
Adding some explanation would make this answer more useful.
– mx0
Nov 15 at 18:03
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f9497719%2fextract-public-private-key-from-pkcs12-file-for-later-use-in-ssh-pk-authenticati%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
