6

Burp-Suite's http://burp/cert:8080 web-interface for downloading the CA Certificate only provides a .der encoded certificate, but for a particular use-case scenario I require a PKCS#12 .pfx/.p12.

I can find a lot of information regarding the conversion from .der to .pem and also the conversion from .pem to .pfx/.p12, but nothing for converting directly from .der to .pfx/.p12:

  • .der > .pem 
openssl x509 -inform der -in certificate.der -out certificate.pem
  • .pem > .pfx/.p12
openssl pkcs12 -export -in certificate.pem -out certificate.p12
  1. Can I convert directly from .der to .pfx/.p12?
  2. Do I need a .key (not provided via http://burp/cert:8080) in order to do the conversion?
  3. Will the .pfx/.p12 even be of any use to me (and Burp-Suite) without the .key rolled in?
voices
  • 1,649
  • 7
  • 22
  • 36
  • commandline `openssl pkcs12` cannot create a p12 without a privatekey (with matching cert). If your 'particular use-case' is Burp, it intercepts HTTPS by using CAkey to forge certs so the CAcert alone is useless. I don't know any software that uses a p12 with only cert(s) except Java 8, and for Java JKS has better support for either privatekey&chain OR certs-only. But you can use Java 8 `keytool` to 'import' lone cert(s), either DER or PEM, to a p12. – dave_thompson_085 Jun 20 '16 at 14:25

1 Answers1

3
  1. Can I convert directly from a .der to a .pfx/.p12?

I don't think so because Openssl uses PEM encoding for certificates by default unless you set it explicitly using -inform or -outform arguments. There is no such option listed in the pkcs12 command.

  1. Do I need a .key (not provided via http://burp/cert:8080) in order to do the conversion?

You don't have to provide a key for PKCS12 command if you use -nodes option. With this option openssl do not use encryption for the file created.

  1. Will the .pfx/.p12 even be of any use to me (and Burp-Suite) without the .key rolled in?

In your case, Yes. Because that you will only store your certificates in that file you do not need it to be encrypted. Note that, PKCS12 file format is generally used to store private keys with their corresponding certificates in a single file format. In that case, you should use a key to keep your private keys in an encrypted file.

Makif
  • 176
  • 1
  • 6
  • 2
    `openssl pkcs12 -nodes` applies only when _reading_ a p12 and extracting to separate key&cert (PEM) files; it is ignored when _writing_ a p12. Although openssl library can create a p12 with only cert(s), commandline `pkcs12` cannot. And in openssl by defaul, and other software I've looked at (Microsoft, Mozilla, and Java) _always_, certs _are_ encrypted, although weakly so (commonly pbeSHA1wirthRC2-40). – dave_thompson_085 Jun 20 '16 at 14:26