Jump to content

PKCS 12

From Wikipedia, the free encyclopedia
(Redirected from PKCS12)
PKCS #12
Filename extension
.p12, .pfx
Internet media type
application/x-pkcs12
Uniform Type Identifier (UTI)com.rsa.pkcs-12[1]
Developed byRSA Security
Initial release1996 (1996)
Latest release
PKCS #12 v1.1
27 October 2012; 12 years ago (2012-10-27)
Type of formatArchive file format
Container forX.509 public key certificates, X.509 private keys, X.509 CRLs, generic data
Extended fromMicrosoft PFX file format

In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.

A PKCS #12 file may be encrypted and signed. The internal storage containers, called "SafeBags", may also be encrypted and signed. A few SafeBags are predefined to store certificates, private keys and CRLs. Another SafeBag is provided to store any other data at individual implementer's choice.[2][3]

PKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories.

The filename extension for PKCS #12 files is .p12 or .pfx.[4]

These files can be created, parsed and read out with the OpenSSL pkcs12 command.[5]

Relationship to PFX file format

[edit]

PKCS #12 is the successor to Microsoft's "PFX";[6] however, the terms "PKCS #12 file" and "PFX file" are sometimes used interchangeably.[4][5][7]

The PFX format has been criticised for being one of the most complex cryptographic protocols.[7]

Normal usage

[edit]

The full PKCS #12 standard is very complex. It enables buckets of complex objects such as PKCS #8 structures, nested deeply. But in practice it is normally used to store just one private key and its associated certificate chain.[citation needed]

PKCS #12 files are usually created using OpenSSL, which only supports a single private key from the command line interface. The Java keytool can be used to create multiple "entries" since Java 8, but that may be incompatible with many other systems.[8] As of Java 9 (released 2017-09-21), PKCS #12 is the default keystore format.[9][10]

A simpler, alternative format to PKCS #12 is PEM which just lists the certificates and possibly private keys as Base 64 strings in a text file.

GnuTLS's certtool may also be used to create PKCS #12 files including certificates, keys, and CA certificates via --to-p12. However, beware that for interchangeability with other software, if the sources are in PEM Base64 text, then --outder should also be used.

References

[edit]
  1. ^ "pkcs12". Apple Developer Documentation: Uniform Type Identifiers. Apple Inc. Archived from the original on 2023-05-28.
  2. ^ "PKCS #12: Personal Information Exchange Syntax Standard". RSA Laboratories. Archived from the original on 2017-04-17. This standard specifies a portable format for storing or transporting a user's private keys, certificates, miscellaneous secrets, etc.
  3. ^ "PKCS 12 v1.0: Personal Information Exchange Syntax" (PDF). RSA Laboratories. 1999-06-24. Archived from the original (PDF) on 2020-01-16. Retrieved 2020-01-16.
  4. ^ a b Michel I. Gallant (March 2004). "PKCS #12 File Types: Portable Protected Keys in .NET". Microsoft Corporation. Archived from the original on 2023-06-06. Retrieved 2013-03-14. All Windows operating systems define the extensions .pfx and .p12 as Personal Information Exchange, or PKCS #12, file types.
  5. ^ a b "openssl-cmds: pkcs12". OpenSSL Project. 2019. Archived from the original on 2023-06-06. Retrieved 2020-01-16. The pkcs12 command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed.
  6. ^ Peter Gutmann (August 2002). "Lessons Learned in Implementing and Deploying Crypto Software" (PDF). The USENIX Association. Archived (PDF) from the original on 2023-06-06. Retrieved 2020-01-16. In 1996 Microsoft introduced a new storage format [...] called PFX (Personal Information Exchange) [...] it was later re-released in a cleaned-up form as PKCS #12
  7. ^ a b Peter Gutmann (1998-03-12). "PFX - How Not to Design a Crypto Protocol/Standard". Archived from the original on 2023-07-10. Retrieved 2020-01-16.
  8. ^ Kai Kramer (2016-06-05). "p12 files don't show root and sub CA certificates #35". There exists a general problem when the extremely flexible PKCS#12 format is pushed into the keystore API. [...] 2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
  9. ^ "JEP 229: Create PKCS12 Keystores by Default". OpenJDK JEPs. Oracle Corporation. 2014-05-30. Archived from the original on 2023-06-08.
  10. ^ Ryan, Vincent (2014-05-30). "Bug JDK-8044445: Create PKCS12 Keystores by Default". JDK Bug System. Archived from the original on 2023-02-06.
[edit]