14

I would like to extract the public part of a revoked P12 which doesn't belong to me. I can't open it with KeyStore Explorer because I am prompted for the password, is it possible with OpenSSL ?

The password only protects the private key(s), not the certificate, am i right ?

crypto-learner
  • 697
  • 1
  • 7
  • 17
  • 6
    The PKCS #12 standard allows both encrypted archives containing cleartext certificates and cleartext private keys as well as cleartext archives containing cleartext certificates and encrypted private keys. Depending on what system created your p12 file, you might have either; only in the second case can you get what you want. – Reid Rankin Jul 17 '15 at 21:06
  • if any part of it is readable, this site might help (not sure if P12 is ASCII or binary : https://lapo.it/asn1js/ – makerofthings7 Aug 16 '15 at 19:56

4 Answers4

10

It can be done with openssl. In a terminal type:

openssl pkcs12 -in myfile.p12 -nokeys -nomacver

And just press ENTER when the import key is requested. The certificates contained in the PKCS12 file should be printed (en PEM format) on the standard output.

NOTE: even if the certificates are present in plain text in the PCKS12 file, the file full content integrity is protected by a Message Authentication Code (MAC). Without the password you are not able to verify that the file has not been modified and it means that anyone who could access the file would be able the add, remove or modify the certificates. It may be a security concern, not necessary in your case, but you should keep that in mind if you want to reuse that tip in other circumstances.

Jcs
  • 989
  • 8
  • 12
0

You can use openssl or keytool command to extract the public key from a p12 file, but the integrity will not be verified.

user45475
  • 1,030
  • 2
  • 9
  • 14
-1

Yes You are right, the password is protecting the private key.

First question here is that already the key got revoked , why do you want to use it the revoked one again. Is there is a intentional reason to work on it ?

You can open the public part by using the keytool command.The command follows here

keytool -list -keystore -storetype pkcs12 -rfc

It will prompt for a password and just press enter button will do the job.

user45475
  • 1,030
  • 2
  • 9
  • 14
  • You didn't understand... I DON'T have the password, but I wanna see the certificate, which is public infos, so I guess that I could extrat this info without password as it is public... but if I am prompted for a password, this means that the password doesn't only protect the private key, it protects the whole P12 file ! That's what I want to know, can I extract public infos without password ? – crypto-learner Feb 15 '15 at 09:53
  • No. That's what I explained in my answer that either key store or p12 file it doesn't matter. there are two types of password protection here. one is for overall p12 file and another for private key. Without the password for p12 file, you cannot open a file to get a cert and the reason behind is that there are n number of certs available to trust ,if some one can change the public part then it may a chance to verify by other clients. But in case of keystore u can create a file without protecting the keystore as only protect for private key. – user45475 Feb 17 '15 at 22:12
-1
the Java keystore contains certificate information

To be more precise it contains public keys or key pairs (public and private key). The keystore is protected by a password and every private key is also protected by a password. However you are able to change or remove passwords. It's up to you. A Java keystore is like a detached keystore of a web browser i.e.

Mozilla -> Edit -> Preferences -> Advanced -> Certificates, Chrome -> Settings -> Advanced Settings -> HTTPS/SSL

A Certificate Manager of such manages your certificates, peoples public keys, server or Certificate Authority certificates which are also public keys. They are stored in the keystore of a browser.

but this information is public (i.e. other machine certificates which you want the local machine to trust)

Public are only keys that don't need any protection, they are the public keys. Private keys are not public and protected by a password.

You decide when to use the keys and when stolen it is not easy extract informations from. So a keystore is a security enchancement.

But you speak generally about the level of trust, or Trust metrics.

To do this you need to know, that a private keys can theoretically also be guessed, so your security is not 100%. A todays supercomputer listed at Top500 Supercomputer Sites with 33,862.7 Tera Flops/s could bruteforce you private key. Theoretically, your computer/laptop can be stolen or your keystore can be stolen and your passwords can be read by a trojan.

You will end up asking, how high is the risk if my keystore would be stolen and decrypted and what can I do to prevent it. This is often also a question of effort and price.

If your risk is high, then you need to store your keystore on a detached disk (i.e. pen drive), use long complex passwords and use a special protected machine to connect from.

4 down vote

If you are talking about the truststore, the risk isn't that someone will see or steal the certs in the truststore. The risk is that someone will add a certificate into the store which you do not want to trust. The store should be protected first protected by the OS permissions. The password is an additional protection.

user45475
  • 1,030
  • 2
  • 9
  • 14
  • Thanks but it doesn't answer my question, which is : I don't have the P12 password, can I (and how) extract public certificates ? – crypto-learner Feb 17 '15 at 21:21
  • you can use openssl or keytool command to extract cert from p12 , but the integrity cannot be verified and the revoked cert is of no use anywhwere – user45475 Mar 26 '16 at 00:32