Skip to main content

Scenario 1: importing certificates from PKCS#12 file

PKCS#12 format (.p12 or .pfx extension) is the standard for exchanging RSA keys and X.509 certificates.
In Firefox (NSS) or Windows Certificate Manager, it is possible to export certificates to PKCS#12 format.

A PKCS#12 file may bundle:

  • RSA key pairs (private and public keys).
  • X.509 user certificates.
  • Root CA X.509 certificates.

To create a PKCS#12 file, use OpenSSL command:

$ openssl pkcs12 -export -out key-file.pkcs12 -inkey privateKey.key -in certificate.crt -certfile CACert.crt

The pros : you may transfer your PKCS#12 key to a CD-ROM and store it in a safe place. Remove your key from the computer, so that it resides only on the smart card. If the smart card is lost or destroyed, you can initialize a new smart card.
The cons : this solution is not considered perfectly secure. If your computer or backup is compromised, the secret key may be compromised.

Warning: always make a backup of the original PCS#12 file containing certificates.
Warning

To import a PKCS#12 file, type:

$ pkcs15-init --store-private-key key-file.p12 --format pkcs12 --id 2649a19d5d6a216913c5a0c8bb9f97229dec99ab --auth-id 01 --pin 0000

--auth-id is the ID of your PIN.
--id is the ID of the imported key.

If --id is omitted, a default ID is created.

Using reader with a card: Feitian SCR301 00 00
Please enter passphrase to unlock secret key:
Importing 3 certificates:
0: /CN=J**********@***********/emailAddress=*************
1: /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
2: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org

Please note you may add --key-usage to your command line to specify additional key usage.

Then dump content of smartcard:

$ pkcs15-tool --dump
Using reader with a card: Feitian SCR301 00 00
PKCS#15 Card [François Pérou]:
Version : 0
Serial number : 2963094713181210
Manufacturer ID: EnterSafe
Last update : 20110220103102Z
Flags : EID compliant

PIN [User PIN]
Object Flags : [0x3], private, modifiable
ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:16, stored_len:16
Pad char : 0x00
Reference : 1
Type : ascii-numeric
Path : 3f005015

Private RSA Key [Private Key]
Object Flags : [0x3], private, modifiable
Usage : [0x10E], decrypt, sign, signRecover, derive
Access Flags : [0x0]
ModLength : 2048
Key ref : 1
Native : yes
Path : 3f005015
Auth ID : 01
ID : 2649a19d5d6a216913c5a0c8bb9f97229dec99ab

X.509 Certificate [/CN=***********/emailAddress=@***********]
Object Flags : [0x2], modifiable
Authority : no
Path : 3f0050153100
ID : 2649a19d5d6a216913c5a0c8bb9f97229dec99ab
Encoded serial : 02 03 00C520

X.509 Certificate [/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root]
Object Flags : [0x2], modifiable
Authority : yes
Path : 3f0050153101
ID : ef47e5fca7e04e356d41b0192d725eb0e54fc3af
Encoded serial : 02 01 01

X.509 Certificate [/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org]
Object Flags : [0x2], modifiable
Authority : yes
Path : 3f0050153102
ID : c81e42ceda0bc1d65c9051b0eb8679e29dd6c067
Encoded serial : 02 01 00

As you notice, this command transfers private RSA key, X.509 certificates and CA root certificate.
There is no need to import the RSA public key as it can be derived from RSA public key.