Extract public private key from PKCS12 file for later use in SSH-PK-Authentication

Question

I want to extract the public and private key from my PKCS 12 file for later use in SSH-Public-Key-Authentication    Right now  I m generating keys via ssh-keygen which I put into  ssh authorized key  respective somewhere on the client-side   In future  I want to use the keys from a PKCS 12 container  so I ve to extract the public-key first from PKCS 12 and then put them into the  ssh authorized keys file  Is there any chance to get this working via openssl  Are the keys in PKCS 12 compatible for ssh-public-key authentication

User · Answer

The accepted answer is the correct command, I just want to add one additional thing, when extracting the key if you leave the PEM password("Enter PEM pass phrase:") blank then the complete key will not be extracted but only the localKeyID will be extracted. To get the complete key you must specify a PEM password whem running the following command.

Please note that when it comes to Import password, you can specify the actual password for "Enter Import Password:" or can leave this password blank:

openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem

User · Answer

Solution 1   Extract P12 from jks  keytool -importkeystore -srckeystore MyRootCA jks -destkeystore MyRootCA p12 -deststoretype PKCS12   Extract PEM from P12 and Edit file and pem from crt file  openssl pkcs12 -in MyRootCA p12 -clcerts -nokeys -out MyRootCA crt   Extract key from jks  openssl pkcs12 -in MyRootCA p12 -nocerts -out encryptedPrivateKey pem openssl rsa -in encryptedPrivateKey pem -out decryptedPrivateKey key   Solution 2   Extract PEM and encryptedPrivateKey to txt file     openssl pkcs12 -in MyRootCA p12 -out keys out txt   Decrypt privateKey  openssl rsa -in encryptedPrivateKey key  -outform PEM  -out decryptedPrivateKey key

User · Answer

OpenSSH cannot use PKCS 12 files out of the box  As others suggested  you must extract the private key in PEM format which gets you from the land of OpenSSL to OpenSSH  Other solutions mentioned here don   t work for me  I use OS X 10 9 Mavericks  10 9 3 at the moment  with    prepackaged    utilities  OpenSSL 0 9 8y  OpenSSH 6 2p2    First  extract a private key in PEM format which will be used directly by OpenSSH   openssl pkcs12 -in filename p12 -clcerts -nodes -nocerts   openssl rsa  gt     ssh id rsa   I strongly suggest to encrypt the private key with password   openssl pkcs12 -in filename p12 -clcerts -nodes -nocerts   openssl rsa -passout  pass Passw0rd    gt     ssh id rsa   Obviously  writing a plain-text password on command-line is not safe either  so you should delete the last command from history or just make sure it doesn   t get there  Different shells have different ways  You can prefix your command with space to prevent it from being saved to history in Bash and many other shells  Here is also how to delete the command from history in Bash   history -d   history   tail -n 2   awk  NR    1   print  1       Alternatively  you can use different way to pass a private key password to OpenSSL - consult OpenSSL documentation for pass phrase arguments   Then  create an OpenSSH public key which can be added to authorized keys file   ssh-keygen -y -f    ssh id rsa  gt     ssh id rsa pub

User · Answer

This is possible with a bit of format conversion   To extract the private key in a format openssh can use   openssl pkcs12 -in pkcs12 pfx -nocerts -nodes   openssl rsa  gt  id rsa   To convert the private key to a public key   openssl rsa -in id rsa -pubout   ssh-keygen -f  dev stdin -i -m PKCS8   To extract the public key in a format openssh can use   openssl pkcs12 -in pkcs12 pfx -clcerts -nokeys   openssl x509 -pubkey -noout   ssh-keygen -f  dev stdin -i -m PKCS8

User · Answer

You can use following commands to extract public private key from a PKCS 12 container    PKCS 1 Private key  openssl pkcs12 -in yourP12File pfx -nocerts -out privateKey pem  Certificates   openssl pkcs12 -in yourP12File pfx -clcerts -nokeys -out publicCert pem

User · Answer

As far as I know PKCS 12 is just a certificate public private key store  If you extracted a public key from PKCS 12 file  OpenSSH should be able to use it as long as it was extracted in PEM format  You probably already know that you also need a corresponding private key  also in PEM  in order to use it for ssh-public-key authentication

User · Answer

Update  I noticed that my answer was just a poor duplicate of a well explained question on https   unix stackexchange com     by BryKKan  Here is an extract from it   openssl pkcs12 -in  lt filename pfx gt  -nocerts -nodes   sed -ne   -BEGIN PRIVATE KEY-   -END PRIVATE KEY- p   gt   lt clientcert key gt   openssl pkcs12 -in  lt filename pfx gt  -clcerts -nokeys   sed -ne   -BEGIN CERTIFICATE-   -END CERTIFICATE- p   gt   lt clientcert cer gt   openssl pkcs12 -in  lt filename pfx gt  -cacerts -nokeys -chain   sed -ne   -BEGIN CERTIFICATE-   -END CERTIFICATE- p   gt   lt cacerts cer gt

[ssh] Extract public/private key from PKCS12 file for later use in SSH-PK-Authentication

Examples related to ssh

Examples related to openssl

Examples related to certificate

Examples related to x509

Examples related to pkcs#12