Use and utility of .p12 certificate/file

Use and utility of .p12 certificate/file

The .p12 contains both the private and the public key, and also information about the owner (name, email address, etc. ) all being certified by a third party. With such certificate, a user can identify himself and authenticate himself to any organization trusting the third party.

You should be able to see the content of the p12 file with

openssl pkcs12 -info -in filename.p12

provided openssl is installed in your system.

评论：

the p12 is normally protected with a password and is not shared. It is imported in an application (e.g. a browser or a password manager) When a authentication must take place, the browser sends the identification information and its public key. The server then offers a challenge only the owner of the private key can solve. The browsers then sends back the solution of the challenge and the user is both identified and authenticated. Anyone getting access to the p12 will be able to impersonate the real owner.

– damienfrancois

Oct 26 '13 at 8:59

Why does a PKCS12 file have a private key

A PKCS12 used by a client should contain a privatekey and cert/chain for the client, which is used to authenticate the client so the server knows an SSL/TLS connection is from a legitimate/authorized client and thus requests on this connection should be accepted and/or given appropriate privilege(s). Ideally a client should use a key generated by itself combined with a cert either issued by a CA the server trusts or issued by the server itself, but in some situations an authority like the server admin just provides a key and certs in a PKCS12 so they don't have to spend 20 or 30 hours a day instructing users on how PKI works and how to generate a key and how to generate a key that is not the wrong type or too short or otherwise unacceptable and how to type data into a CSR and what is a CSR and why a CSR isn't a cert and also isn't a key and why their CSR was defective and how they should type the correct data into a CSR so it will actually work and how to look for the key they generated 2 hours ago but have now lost or deleted or overwritten or converted to something else or put on the wrong machine etc etc.

The client keypair(s) should be different from the server keypair, and the server privatekey indeed should never be distributed to a client, or anywhere except a key backup facility or a replacement server. If the server uses either a selfsigned cert or a cert issued by a CA that is not pre-trusted then a cert (not key) serving as a trust anchor for the server, the cert itself if selfsigned and otherwise usually the CA root cert, must be imported as trusted on the client(s).

View PKCS#12 Information on Screen

To dump all of the information in a PKCS#12 file to the screen in PEM format, use this command:

openssl pkcs12 -info -in INFILE.p12 -nodes

You will then be prompted for the PKCS#12 file’s password:

Enter Import Password:

Type the password entered when creating the PKCS#12 file and press enter. OpenSSL will output any certificates and private keys in the file to the screen:

Bag Attributes
    localKeyID: AC 3E 77 9A 99 62 84 3D 77 CB 44 0D F9 78 57 7C 08 28 05 97 
subject=/CN=Aaron  Russell/emailAddress=*********@gmail.com
issuer=/C=US/ST=Texas/L=Houston/O=SSL Corp/CN=SSL.com Client Certificate Intermediate CA RSA R1
-----BEGIN CERTIFICATE-----
MIIF1DCCA7ygAwIBAgIQcOrAJCMayJsZBKJsyz/aQDANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24x
ETAPBgNVBAoMCFNTTCBDb3JwMTowOAYDVQQDDDFTU0wuY29tIENsaWVudCBDZXJ0

...

bwK6ABAZUq6QcvhD0LYsXya+ncDCR6wxb9E0DWd4ATQMzxGTu/yE3kT+9Ef6IY+n
armh3HZUfan2Hb64YD0tjLMca/PC+sKAZu28gB/3HQRHIFugvh6RO3bIoorl0jUg
1Ml2r83++biS0HL6JdcwuuUF
-----END PRIVATE KEY-----