IBM Support

How to use PASE OpenSSL to extract your private key and server certificate from a PKCS#12 file.

Troubleshooting


Problem

The purpose of this document is provide steps to extract all the components of a PKCS#12 file. PKCS#12 or PFX (extended by Microsoft) archive format is used to bundle multiple cryptography objects into a single structure file. More information about PKCS#12 can be found here:
https://datatracker.ietf.org/doc/html/rfc7292
In this technology document we assume there exists a valid PKCS#12 (or .pfx or .p12) file containing the private key, server or client certificate, and Root CA or chain.  Refer to links for additional information or contact your certificate provider.

Environment

Documentation was created based on OpenSSL 1.1.1n 15 Mar 2022. Additional information and instructions can be found here:
 
https://www.ibm.com/docs/en/i/7.3?topic=device-portable-utilities-i
https://www.openssl.org/news/openssl-1.1.1-notes.html

Resolving The Problem

1. Create a new IFS folder and change directory into it.
mkdir extracted
cd extracted

2. FTP your .p12 or .pfx file into this directory. 
Critical: Use FTP binary mode transfer to transfer your file to the IFS. 

3. Run the following command to extract the private key:
  
openssl pkcs12 -in mypkcs.p12 -nocerts -out private.key
Provide the password that was given during the creation of the .p12 file. You will be prompted again to provide a new password to encrypt the private key file. 

4. Run the following command to extract the certificate:
openssl pkcs12 -in mypkcs.p12 -clcerts -nokeys -out mycert.crt
5. Remove the password from the private key. By removing the password from the key file you will be open to possible security risks. Please be advised only decrypt if you understand the risks.
openssl rsa -in private.key -out decrypted.key
You will be required to provide the password to private key that was created on Step 3. Place your private key in a safe location. It is now unprotected.
6. Verify checksum between the private.key and server or client certificate.
The hash from the server or client certificate.
openssl x509 -noout -modulus -in mycert.crt | openssl md5
image-20220526190710-1
The hash from the unencrypted private key.
openssl rsa -noout -modulus -in decrypted.key | openssl md5
image-20220526190746-2
Note: MD5 hash is fastest. Other hash options openssl ciphers -v.
This provides validity that the private key is decrypted and that the server or client was indeed created from this private key.
Optional:
To compare the hash of the CSR we can also check validity, all 3 hashes should match.
openssl req -noout -modulus -in request.csr | openssl md5

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CImAAM","label":"OpenSSL OpenSSH"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
05 September 2023

UID

ibm16590393

Page Feedback