PKCS

PKCS standards for certificate bundling, key formats, and hardware token interfaces.

PKCS#12 (.p12 / .pfx)

PKCS#12 bundles a private key, certificate, and CA chain into a single encrypted file. This is the primary format for importing certificates into ISE, Windows, and Java keystores.

Create a PKCS12 bundle from PEM files

openssl pkcs12 -export \
    -out bundle.p12 \
    -inkey server.key \
    -in server.pem \
    -certfile ca-chain.pem \
    -name "web-server"

The -name sets the alias, used by Java keystores and some appliances to identify the entry.

Create PKCS12 with a specific encryption algorithm — legacy compatibility

openssl pkcs12 -export -legacy \
    -out bundle.p12 \
    -inkey server.key \
    -in server.pem \
    -certfile ca-chain.pem

The -legacy flag uses older algorithms. Required when the target (ISE 3.1, older Windows) does not support modern PKCS12 encryption.

Extract certificate from PKCS12

openssl pkcs12 -in bundle.p12 -clcerts -nokeys -out cert.pem

Extract private key from PKCS12

openssl pkcs12 -in bundle.p12 -nocerts -nodes -out key.pem
chmod 600 key.pem

Extract CA certificates from PKCS12

openssl pkcs12 -in bundle.p12 -cacerts -nokeys -out ca-chain.pem

List contents of a PKCS12 file without extracting

openssl pkcs12 -in bundle.p12 -info -noout

PKCS#12 for ISE Import

Create PKCS12 specifically for ISE — include full chain, set friendly name

openssl pkcs12 -export \
    -out ise-cert.p12 \
    -inkey ise-server.key \
    -in ise-server.pem \
    -certfile ca-chain.pem \
    -name "ise-admin-cert"

ISE requires the full chain in the PKCS12 bundle. Missing intermediate CA certificates cause "certificate chain incomplete" errors during import.

PKCS#7 (.p7b)

PKCS#7 contains certificates and CRLs but no private keys. Used for distributing CA chains.

Convert PEM certificate to PKCS7

openssl crl2pkcs7 -nocrl -certfile ca-chain.pem -out chain.p7b

Extract certificates from PKCS7

openssl pkcs7 -in chain.p7b -print_certs -out extracted.pem

PKCS#8

PKCS#8 is the standard for private key encoding. OpenSSL uses it internally for newer key formats.

Convert a traditional RSA key to PKCS8 format

openssl pkcs8 -topk8 -in rsa-traditional.key -out rsa-pkcs8.key -nocrypt

Convert PKCS8 to traditional format — when a tool demands it

openssl rsa -in rsa-pkcs8.key -out rsa-traditional.key

PKCS#11 — Hardware Token Interface

PKCS#11 is the API for hardware security modules (HSMs) and smart cards. YubiKeys, SoftHSM, and hardware HSMs expose keys through PKCS#11.

List objects on a PKCS11 token via pkcs11-tool

pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-objects

List available slots/tokens

pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots

Test login to a token

pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --test

Java Keystore (JKS) Conversion

Import PKCS12 into Java keystore

keytool -importkeystore \
    -srckeystore bundle.p12 -srcstoretype PKCS12 \
    -destkeystore keystore.jks -deststoretype JKS

Export from Java keystore to PKCS12

keytool -importkeystore \
    -srckeystore keystore.jks -srcstoretype JKS \
    -destkeystore bundle.p12 -deststoretype PKCS12