PKCS 12

In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.

PKCS #12
Filename extension
.p12, .pfx
Internet media type
application/x-pkcs12
Uniform Type Identifier (UTI)0
Developed byRSA Security
Initial release1996 (1996)
Latest release
PKCS #12 v1.1
(27 October 2012 (2012-10-27))
Type of formatArchive file format
Container forX.509 public key certificates, X.509 private keys, X.509 CRLs, generic data
Extended fromMicrosoft PFX file format

A PKCS #12 file may be encrypted and signed. The internal storage containers, called "SafeBags", may also be encrypted and signed. A few SafeBags are predefined to store certificates, private keys and CRLs. Another SafeBag is provided to store any other data at individual implementer's choice.[1][2]

PKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories.

The filename extension for PKCS #12 files is .p12 or .pfx.[3]

These files can be created, parsed and read out with the OpenSSL pkcs12 command.[4]

Relationship to PFX file format

PKCS #12 is the successor to Microsoft's "PFX";[5] however, the terms "PKCS #12 file" and "PFX file" are sometimes used interchangeably.[3][4][6]

The PFX format has been criticised for being one of the most complex cryptographic protocols.[6]

Normal usage

The full PKCS #12 standard is very complex. It enables buckets of complex objects such as PKCS #8 structures, nested deeply. But in practice it is normally used to store just one private key and its associated certificate chain.

PKCS #12 files are usually created using OpenSSL, which only supports a single private key from the command line interface. The Java keytool can be used to create multiple "entries" since Java 8, but that may be incompatible with many other systems. As of Java 9, PKCS #12 is the default keystore format.[7][8]

A simpler, alternative format to PKCS #12 is PEM which just lists the certificates and possibly private keys as Base 64 strings in a text file.

GnuTLS's certtool may also be used to create PKCS #12 files including certificates, keys, and CA certificates via --to-pk12. However, beware that for interchangeability with other software, if the sources are in PEM Base64 text, then --outder should also be used.

gollark: ?tag blub Graham considers a hypothetical Blub programmer. When the programmer looks down the "power continuum", he considers the lower languages to be less powerful because they miss some feature that a Blub programmer is used to. But when he looks up, he fails to realise that he is looking up: he merely sees "weird languages" with unnecessary features and assumes they are equivalent in power, but with "other hairy stuff thrown in as well". When Graham considers the point of view of a programmer using a language higher than Blub, he describes that programmer as looking down on Blub and noting its "missing" features from the point of view of the higher language.
gollark: > As long as our hypothetical Blub programmer is looking down the power continuum, he knows he's looking down. Languages less powerful than Blub are obviously less powerful, because they're missing some feature he's used to. But when our hypothetical Blub programmer looks in the other direction, up the power continuum, he doesn't realize he's looking up. What he sees are merely weird languages. He probably considers them about equivalent in power to Blub, but with all this other hairy stuff thrown in as well. Blub is good enough for him, because he thinks in Blub.
gollark: Imagine YOU are a BLUB programmer.
gollark: Imagine a language which is UTTERLY generic in expressiveness and whatever, called blub.
gollark: There's the whole "blub paradox" thing.

References
  1. "PKCS #12: Personal Information Exchange Syntax Standard". RSA Laboratories. Archived from the original on 2017-04-17. This standard specifies a portable format for storing or transporting a user's private keys, certificates, miscellaneous secrets, etc.
  2. "PKCS 12 v1.0: Personal Information Exchange Syntax" (PDF). RSA Laboratories. 1999-06-24. Retrieved 2020-01-16.
  3. Michel I. Gallant (March 2004). "PKCS #12 File Types: Portable Protected Keys in .NET". Microsoft Corporation. Retrieved 2013-03-14. All Windows operating systems define the extensions .pfx and .p12 as Personal Information Exchange, or PKCS #12, file types.
  4. "openssl-cmds: pkcs12". OpenSSL Project. 2019. Retrieved 2020-01-16. The pkcs12 command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed.
  5. Peter Gutmann (August 2002). "Lessons Learned in Implementing and Deploying Crypto Software" (PDF). The USENIX Association. Retrieved 2020-01-16. In 1996 Microsoft introduced a new storage format [...] called PFX (Personal Information Exchange) [...] it was later re-released in a cleaned-up form as PKCS #12
  6. Peter Gutmann (1998-03-12). "PFX - How Not to Design a Crypto Protocol/Standard". Retrieved 2020-01-16.
  7. "JEP 229: Create PKCS12 Keystores by Default". OpenJDK JEPs. Oracle Corporation. 2014-05-30.
  8. Ryan, Vincent (2014-05-30). "Bug JDK-8044445: Create PKCS12 Keystores by Default". JDK Bug System.
  • RFC 7292 - PKCS #12: Personal Information Exchange Syntax v1.1


This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.