Skip to main content

PKCS12 Import Export

In this tutorial you will learn how to easily and intuitively create, import, export and manage your PKCS12 bundles. This page includes command examples for the most common use cases.

If you have a bundle and are interested in importing it into your HSM partition, or exporting an existing bundle, skip to

Generating a PKCS#12 Bundle

If you do not already have a pkcs12 bundle available, here are some commands to create one.

First we need to have a private key and a certificate:

openssl req -new -x509 -nodes -sha256 -newkey rsa:4096 -days 3650 -subj '/CN=localhost' -keyout ca.key -out ca.crt

Next we use the key and cert to generate a .p12 (or .pfx) bundle:

openssl pkcs12 -export -in ca.crt -inkey ca.key -out securosys-p12-cert.p12 -name my-key-alias -passout pass:12345678
Parameters
ParameterDescription
-in-in infile (Input file)
-inkeyPrivate key, else read from -in input file
-outOutput file
-nameUse name as friendly name
-passoutOutput file pass phrase source (this parameter sets the KeyPassword and PKCS#12 container password)
-passwordSet PKCS#12 import/export password source
passphrase

For the purpose of this tutorial, we use a simple passphrase 12345678, but you should use a secure passphrase.

Lastly, to prepare for the Rest-API request, we need to encode the .p12 bundle into base64:

  • Unix: base64 securosys-p12-cert.p12 -w 0
  • Windows (cmd): certutil -encode securosys-p12-cert.p12 cert.b64
  • Windows (Powershell): powershell -Command "[Convert]::ToBase64String([IO.File]::ReadAllBytes('securosys-p12-cert.p12'))"
note

The above command will output the content in clear text -w 0 (withouth newlines!) on your terminal. We will need this output as the value for of pkcs12 in our API requests later.

PKCS#12 Import via Rest-API

info

Rest-API: v2.4.0 and higher
Supported Algorithms: EC & RSA (not yet ML-DSA)

SKA-Policy
  • if the policy is not defined in the request below will import an SKA-Key (Smart Key Attributes, e.g. you cannot export it later on but perform multi-authrozation, the policy defined will be empty meaning, always fullfillable).
  • if the policy is null, the key will be a normal key

More information on Smart Key Attributes.

POST: /v1/importPlainKey

To import the PKCS#12 bundle, update the values of label, pkcs12, pkcs12KeyName, pkcs12KeyPassword, pkcs12KeystorePassword and execute the following request:

{
"label": "p12-bundle",
"pkcs12": "MIIQuAIBAzCCEG4GCSqGSIb3DQEHAaCCEF8EghBbMIIQVzCCBhoGCSqGSIb3DQEHBqCCBgswgg...",
"pkcs12KeyName": "my-key-alias",
"pkcs12KeyPassword": "12345678",
"pkcs12KeystorePassword": "12345678",
"attributes": {
"encrypt": null,
"decrypt": true,
"verify": null,
"sign": true,
"wrap": null,
"unwrap": true,
"derive": true,
"bip32": false,
"slip10": false,
"extractable": false,
"modifiable": true,
"destroyable": true,
"sensitive": null,
"copyable": false
},
"policy": null
}

PKCS#12 Export via Rest-API

info

Rest-API: v2.4.0 and higher
Supported Algorithms: EC & RSA (not yet ML-DSA)

Viewing/Exporting your PKCS#12 bundle happens in two steps:

View PKCS#12 Certificate

Update the values of label (e.g. p12-bundle), and execute the following request:

GET: /v1/certificate/keyName

View PKCS#12 Private Key

Update the value of label and password and execute the following request

POST: /v1/key/attributes

{
"label": "p12-bundle",
"password": "12345678"
}

With the combined output of the two export requests, you have successfully exported the details of your .p12 bundle.