PKCS12 Import Export
In this tutorial you will learn how to easily and intuitively create, import, export and manage your PKCS12 bundles. This page includes command examples for the most common use cases.
If you have a bundle and are interested in importing it into your HSM partition, or exporting an existing bundle, skip to:
Generating PKCS#12 Components
If you do not already have a pkcs12
bundle available, here are some commands to create the components for one directly on your HSM partition.
Generate Key Pair
First we need to generate the key pair. The process of achieving this is described in detail on our How to Create a Key?
Generate Certificate
Next, we need to create a certificate. If you have a CA signed certificate already, you can continue to the next section. If you do not have a certificate, you can generate it directly on the HSM. Similarly to the key pair, we provide detailed instructions on our Self-Signed Certificate page.
Now that you have your Key pair and Certificate created on the HSM, you can Export via Rest-API, knowing that all components of the bundle are generated and stored securely on the HSM.
PKCS#12 Export via Rest-API
Rest-API: v2.4.0 and higher
Supported Algorithms: EC & RSA (not yet ML-DSA)
To export your PKCS#12 bundle, update the values of label
(e.g. p12-bundle
), password
, pkcs12ContainerPassword
and chose type
to be PKCS12 and execute the following request:
GET: /v1/key/export/plain
{
"label": "p12-bundle",
"password": "12345678",
"type": "PKCS12",
"pkcs12ContainerPassword": "87654321"
}
Setting the type
to PKCS12 instructs the TSB to create the bundle. The TSB then reads the label
and password
to discover the components needed for the bundle. pkcs12ContainerPassword
refers to the password needed to open the bundle in the future.Because of this, it is crucial to provide the correct details.
From the output of the above, take the full value of pkcs12container
and save it to a file:
"pkcs12container": "MIIKSgIBAzCCCfQGCSqGSIb3DQEHAaCCCe...
Convert the base64
file into a .p12
or .pfx
file:
base64 -d securosys-p12-cert.p12.b64 > securosys-p12-cert.p12
You can now view the full content of the bundle by running this OpenSSL command:
openssl pkcs12 -in ./securosys-p12-cert.p12 -info -nodes -passin pass:87654321
PKCS#12 Import via Rest-API
Rest-API: v2.4.0 and higher
Supported Algorithms: EC & RSA (not yet ML-DSA)
- if the
policy
is not defined in the request below will import an SKA-Key (Smart Key Attributes, e.g. you cannot export it later on but perform multi-authrozation, the policy defined will be empty meaning, always fullfillable). - if the
policy
is null, the key will be a normal key
More information on Smart Key Attributes.
If you are interested in importing a P12 bundle, this implies that some or all of the components of it were not generated on the HSM (e.g. a CA signed certificate). Whether you created your keys and certificates with OpenSSL or another solution, you have to first convert the files into a .p12
or .pfx
format.
openssl pkcs12 -export -in ca.crt -inkey ca.key -out securosys-p12-cert.p12 -name my-key-alias -passout pass:12345678
Parameters
Parameter | Description |
---|---|
-in | -in infile (Input file) |
-inkey | Private key, else read from -in input file |
-out | Output file |
-name | Use name as friendly name |
-passout | Output file pass phrase source (this parameter sets the KeyPassword and PKCS#12 container password) |
-password | Set PKCS#12 import/export password source |
For the purpose of this tutorial, we use a simple passphrase 12345678
, but you should use a secure passphrase.
Then the new file needs to be base64 encoded
so that it can be imported into the TSB via Rest-API:
- Unix:
base64 securosys-p12-cert.p12 -w 0
- Windows (cmd):
certutil -encode securosys-p12-cert.p12 cert.b64
- Windows (Powershell):
powershell -Command "[Convert]::ToBase64String([IO.File]::ReadAllBytes('securosys-p12-cert.p12'))"
The above command will output the content in clear text -w 0
(withouth newlines!) on your terminal. We will need this output as the value for of pkcs12
in our API requests below.
POST: /v1/importPlainKey
To import the PKCS#12 bundle, update the values of label
, pkcs12
, pkcs12KeyName
, pkcs12KeyPassword
, pkcs12KeystorePassword
and execute the following request:
{
"label": "p12-bundle",
"pkcs12": "MIIQuAIBAzCCEG4GCSqGSIb3DQEHAaCCEF8EghBbMIIQVzCCBhoGCSqGSIb3DQEHBqCCBgswgg...",
"pkcs12KeyName": "my-key-alias",
"pkcs12KeyPassword": "12345678",
"pkcs12KeystorePassword": "12345678",
"attributes": {
"encrypt": null,
"decrypt": true,
"verify": null,
"sign": true,
"wrap": null,
"unwrap": true,
"derive": true,
"bip32": false,
"slip10": false,
"extractable": true,
"modifiable": true,
"destroyable": true,
"sensitive": false,
"copyable": false
},
"policy": null
}
You must update the default values of these 2 attributes, to be "extractable": true
and "sensitive": false
, as show in the example above, to be able to export the P12 bundle.
Now your PKCS#12 bundle is uploaded and stored on the HSM. You can remove any local copies of it and in the future download it again by following the PKCS#12 Export via Rest-API instructions.