openssl pkcs12: Export and Import .p12 Bundles
openssl pkcs12 bundles a private key and certificate chain into a single PKCS#12 file, or extracts them out.
Java, .NET, and many client tools consume .p12/.pfx. pkcs12 is how you produce one from PEM and how you crack it back open.
What it does
openssl pkcs12 -export combines a private key and one or more certificates into a password-protected PKCS#12 file. Without -export it reads a .p12 and prints the keys and certs as PEM.
Common usage
# PEM -> .p12
openssl pkcs12 -export -inkey key.pem -in cert.pem \
-certfile chain.pem -out bundle.p12 -passout pass:changeit
# .p12 -> PEM (key + certs, unencrypted)
openssl pkcs12 -in bundle.p12 -nodes -passin pass:changeit -out all.pemOptions
| Flag | What it does |
|---|---|
| -export | Create a PKCS#12 file (otherwise it reads one) |
| -inkey <file> | Private key to include |
| -in <file> | Certificate (export) or .p12 (import) |
| -certfile <file> | Extra CA certs to add to the chain |
| -nodes | On import, leave extracted keys unencrypted |
| -passin / -passout pass:<x> | Import/export passwords non-interactively |
| -legacy | OpenSSL 3.x: use legacy RC2/3DES encryption |
In CI
OpenSSL 3.x changed the default encryption to AES-256-CBC. A .p12 made on 3.x can fail to import in older Java/.NET with "unsupported"; add -legacy on the export to produce the older RC2/3DES format those runtimes expect.
Common errors in CI
"Mac verify error: invalid password?" means the -passin password is wrong. "Error outputting keys and certificates ... error:0308010C:digital envelope routines::unsupported" on OpenSSL 3.x reading an old .p12 means the legacy provider is needed; add -legacy or -provider legacy -provider default.