Creating a .p12 file

Question

Using openssl, I've created a private key as follows:

openssl genrsa -out myKey.pem

Then, to generate the csr demanded by the CA, I've executed the following:

openssl req -new -key myKey.pem -out cert.csr

The CA responded with a certificate which I stored in a file named myCert.cer

I'd now like to bundle the necessary components (private key, public key(?) and certificate) into a single .p12. To do so I've run the following:

openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in myCert.cer

but I'm getting the following error message:

No certificate matches private key

How can I accomplish this?

Answer 1

The openssl documentation says that file supplied as the -in argument must be in PEM format.

Turns out that, contrary to the CA's manual, the certificate returned by the CA which I stored in myCert.cer is not PEM format rather it is PKCS7.

In order to create my .p12, I had to first convert the certificate to PEM:

openssl pkcs7 -in myCert.cer -print_certs -out certs.pem

and then execute

openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in certs.pem

Answer 2

I'm debugging an issue I'm having with SSL connecting to a database (MySQL RDS) using an ORM called, Prisma. The database connection string requires a PKCS12 (.p12) file (if interested, described here), which brought me here.

I know the question has been answered, but I found the following steps (in Github Issue#2676) to be helpful for creating a .p12 file and wanted to share. Good luck!

1. Generate 2048-bit RSA private key:

   openssl genrsa -out key.pem 2048

2. Generate a Certificate Signing Request:

   openssl req -new -sha256 -key key.pem -out csr.csr

3. Generate a self-signed x509 certificate suitable for use on web servers.

   openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem

4. Create SSL identity file in PKCS12 as mentioned here

   openssl pkcs12 -export -out client-identity.p12 -inkey key.pem -in certificate.pem