Hi Michael, openssl pkcs12 -in "inCert.p12" -out "out.pem" -passin pass:<pw> -nodes
is sufficient to convert all credentials in the PKCS#12 file to a single PEM file with the key being stored unencrypted. Since OpenSSL 3.0, the outdated -nodes option has been deprecated; so there better use -noenc. To get the leaf cert only, your openssl pkcs12 -in "inCert.p12" -clcerts -nokeys -out "outCert.pem" - passin pass:<pw> is adequate, while to get the related key only, it is sufficient to use openssl pkcs12 -in "inCert.p12" -nocerts -noenc -out "outKey.pem" - passin pass:<pw> To decrypt any type of key, you can use e.g., openssl pkey -in "outTmpKey.pem" -out "outKey.pem" -passin pass:<pw> All the commands mentioned above work regardless of the key type (RSA, EC, etc.). If you really need to handle (in this case: decrypt) specifically EC keys, you can use, e.g., openssl ec -in "outTmpKey.pem" -out "outKey.pem" -passin pass:<pw> On Wed, 2022-05-25 at 19:23 +0000, Lynch, Pat wrote: > Try adding the following command line arguments: -outform pem This won't work because the openssl pkcs12 command does not have an - outform option. And for those having it such as openssl x509, it is not needed because PEM is the default. Regards, David > > From: openssl-users <openssl-users-boun...@openssl.org>On Behalf Of > Beilharz, Michael > Sent: Wednesday, May 25, 2022 3:10 AM > To: 'openssl-users@openssl.org' <openssl-users@openssl.org> > Subject: How to convert .P12 Certificate (ECC crypted) to .PEMs > > Hi OpenSSLCommunity, > > actual I have to convert a .P12 certificate (RSA crypted/created) into > .PEM certificates, > I use the following commands: > openssl pkcs12 -in "inCert.p12" -clcerts -nokeys -out "outCert.pem" - > passin pass:<pw> > openssl pkcs12 -in "outCert.pem" -nocerts -out "outTmpKey.pem" -passin > pass:<pw> -passout pass:<pw> > openssl rsa -in "ouTmpKey.pem" -out "outKey.pem" -passin pass:<pw> > > I can’t say, if these 3 commands are the best way, but they still work > fine and I can use the outCert.pem and the outKey.pem. > > Now I have to convert a .P12 certificate, which is crypte d/created > with ECC. > > The first command still works (I think so, ‘cause there are no > errors): > openssl pkcs12 -in "inCert.p12" -clcerts -nokeys -out "outCert.pem" - > passin pass:<pw> > > But not the rest of the commands. I tried to use theec orecparam > parameter, but I couldn’t figure out how to use them correct. > > I am happy about any help or hint > > > Regards > Michael >
