Creating a .p12 file

openssl certificate pkcs#12

Isaac Kleinman · Jan 15, 2014 · Viewed 93.3k times · Source

Using openssl, I've created a private key as follows:

openssl genrsa -out myKey.pem

Then, to generate the csr demanded by the CA, I've executed the following:

openssl req -new -key myKey.pem -out cert.csr

The CA responded with a certificate which I stored in a file named myCert.cer

I'd now like to bundle the necessary components (private key, public key(?) and certificate) into a single .p12. To do so I've run the following:

openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in myCert.cer

but I'm getting the following error message:

No certificate matches private key

How can I accomplish this?

Answer

The openssl documentation says that file supplied as the -in argument must be in PEM format.

Turns out that, contrary to the CA's manual, the certificate returned by the CA which I stored in myCert.cer is not PEM format rather it is PKCS7.

In order to create my .p12, I had to first convert the certificate to PEM:

openssl pkcs7 -in myCert.cer -print_certs -out certs.pem

and then execute

openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in certs.pem

Creating a .p12 file

Answer

Related questions