Skip to content
Latchkey

openssl pkcs12: Export and Import .p12 Bundles

openssl pkcs12 bundles a private key and certificate chain into a single PKCS#12 file, or extracts them out.

Java, .NET, and many client tools consume .p12/.pfx. pkcs12 is how you produce one from PEM and how you crack it back open.

What it does

openssl pkcs12 -export combines a private key and one or more certificates into a password-protected PKCS#12 file. Without -export it reads a .p12 and prints the keys and certs as PEM.

Common usage

Terminal
# PEM -> .p12
openssl pkcs12 -export -inkey key.pem -in cert.pem \
  -certfile chain.pem -out bundle.p12 -passout pass:changeit
# .p12 -> PEM (key + certs, unencrypted)
openssl pkcs12 -in bundle.p12 -nodes -passin pass:changeit -out all.pem

Options

FlagWhat it does
-exportCreate a PKCS#12 file (otherwise it reads one)
-inkey <file>Private key to include
-in <file>Certificate (export) or .p12 (import)
-certfile <file>Extra CA certs to add to the chain
-nodesOn import, leave extracted keys unencrypted
-passin / -passout pass:<x>Import/export passwords non-interactively
-legacyOpenSSL 3.x: use legacy RC2/3DES encryption

In CI

OpenSSL 3.x changed the default encryption to AES-256-CBC. A .p12 made on 3.x can fail to import in older Java/.NET with "unsupported"; add -legacy on the export to produce the older RC2/3DES format those runtimes expect.

Common errors in CI

"Mac verify error: invalid password?" means the -passin password is wrong. "Error outputting keys and certificates ... error:0308010C:digital envelope routines::unsupported" on OpenSSL 3.x reading an old .p12 means the legacy provider is needed; add -legacy or -provider legacy -provider default.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →