PKCS12 Import Export
In this tutorial you will learn how to easily and intuitively create, import, export and manage your PKCS12 bundles. This page includes command examples for the most common use cases.
If you have a bundle and are interested in importing it into your HSM partition, or exporting an existing bundle, skip to
Generating a PKCS#12 Bundle
If you do not already have a pkcs12
bundle available, here are some commands to create one.
First we need to have a private key and a certificate:
openssl req -new -x509 -nodes -sha256 -newkey rsa:4096 -days 3650 -subj '/CN=localhost' -keyout ca.key -out ca.crt
Next we use the key and cert to generate a .p12
(or .pfx
) bundle:
openssl pkcs12 -export -in ca.crt -inkey ca.key -out securosys-p12-cert.p12 -name my-key-alias -passout pass:12345678
Parameters
Parameter | Description |
---|---|
-in | -in infile (Input file) |
-inkey | Private key, else read from -in input file |
-out | Output file |
-name | Use name as friendly name |
-passout | Output file pass phrase source (this parameter sets the KeyPassword and PKCS#12 container password) |
-password | Set PKCS#12 import/export password source |
For the purpose of this tutorial, we use a simple passphrase 12345678
, but you should use a secure passphrase.
Lastly, to prepare for the Rest-API request, we need to encode the .p12
bundle into base64
:
- Unix:
base64 securosys-p12-cert.p12 -w 0
- Windows (cmd):
certutil -encode securosys-p12-cert.p12 cert.b64
- Windows (Powershell):
powershell -Command "[Convert]::ToBase64String([IO.File]::ReadAllBytes('securosys-p12-cert.p12'))"
The above command will output the content in clear text -w 0
(withouth newlines!) on your terminal. We will need this output as the value for of pkcs12
in our API requests later.
PKCS#12 Import via Rest-API
Rest-API: v2.4.0 and higher
Supported Algorithms: EC & RSA (not yet ML-DSA)
- if the
policy
is not defined in the request below will import an SKA-Key (Smart Key Attributes, e.g. you cannot export it later on but perform multi-authrozation, the policy defined will be empty meaning, always fullfillable). - if the
policy
is null, the key will be a normal key
More information on Smart Key Attributes.
POST: /v1/importPlainKey
To import the PKCS#12 bundle, update the values of label
, pkcs12
, pkcs12KeyName
, pkcs12KeyPassword
, pkcs12KeystorePassword
and execute the following request:
{
"label": "p12-bundle",
"pkcs12": "MIIQuAIBAzCCEG4GCSqGSIb3DQEHAaCCEF8EghBbMIIQVzCCBhoGCSqGSIb3DQEHBqCCBgswgg...",
"pkcs12KeyName": "my-key-alias",
"pkcs12KeyPassword": "12345678",
"pkcs12KeystorePassword": "12345678",
"attributes": {
"encrypt": null,
"decrypt": true,
"verify": null,
"sign": true,
"wrap": null,
"unwrap": true,
"derive": true,
"bip32": false,
"slip10": false,
"extractable": false,
"modifiable": true,
"destroyable": true,
"sensitive": null,
"copyable": false
},
"policy": null
}
PKCS#12 Export via Rest-API
Rest-API: v2.4.0 and higher
Supported Algorithms: EC & RSA (not yet ML-DSA)
Viewing/Exporting your PKCS#12 bundle happens in two steps:
View PKCS#12 Certificate
Update the values of label
(e.g. p12-bundle
), and execute the following request:
View PKCS#12 Private Key
Update the value of label
and password
and execute the following request
POST: /v1/key/attributes
{
"label": "p12-bundle",
"password": "12345678"
}
With the combined output of the two export requests, you have successfully exported the details of your .p12
bundle.