Home/ Questions/Q 8375471
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T15:11:11+00:00

I’m trying to convert a P12 file to a PEM file. When I execute

  • 0

I’m trying to convert a P12 file to a PEM file. When I execute the command, the terminal asks me for three things:

P12 passphrase (I type it in, hit enter)
PEM passphrase (type it in, hit enter)
PEM passphrase confirm (type it in, hit enter)

I know I can execute a sudo command all in one shot by using the following:

echo sudopassword | sudo rm -rf /file.p12;

How can I add all three values in one shot? Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Can you explain what these P12 files are? I found this link which deals with the conversion of pkcs12 Cert/key files to .PEM format using openssl. (http://gridsite.org)

    Key to the answer is:

    Use -passin file:... and -passout file:... for unattended processing

    It’s my guess that you will have to specify the -passin file:P12passphrase and -passout file PEMpassphrase options for this case.

    This little test confirms how an input passphrase can be specified through a file:<...> parameter. This helps to hide such phrases from any over the shoulder attacks. Don’t forget to restrict access to such files. Even though it’s a common feature of most openssl commands, it’s not explicitly mentioned and it is key to the original question. The full list of options is below.

    $ openssl pkcs12 -passin file:P12phrase
Can't open file P12phrase
Error getting passwords

    (I leave it to the OP to construct the full command.)

    Below are all supported options for the pkcs12 subcommand:

    $ openssl pkcs12 help 
Usage: pkcs12 [options]
where options are
-export       output PKCS12 file
-chain        add certificate chain
-inkey file   private key if not infile
-certfile f   add all certs in f
-CApath arg   - PEM format directory of CA's
-CAfile arg   - PEM format file of CA's
-name "name"  use name as friendly name
-caname "nm"  use nm as CA friendly name (can be used more than once).
-in  infile   input filename
-out outfile  output filename
-noout        don't output anything, just verify.
-nomacver     don't verify MAC.
-nocerts      don't output certificates.
-clcerts      only output client certificates.
-cacerts      only output CA certificates.
-nokeys       don't output private keys.
-info         give info about PKCS#12 structure.
-des          encrypt private keys with DES
-des3         encrypt private keys with triple DES (default)
-aes128, -aes192, -aes256
              encrypt PEM output with cbc aes
-nodes        don't encrypt private keys
-noiter       don't use encryption iteration
-maciter      use MAC iteration
-twopass      separate MAC, encryption passwords
-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)
-certpbe alg  specify certificate PBE algorithm (default RC2-40)
-keypbe alg   specify private key PBE algorithm (default 3DES)
-keyex        set MS key exchange type
-keysig       set MS key signature type
-password p   set import/export password source
-passin p     input file pass phrase source
-passout p    output file pass phrase source
-engine e     use engine e, possibly a hardware device.
-rand file:file:...
              load the file (or the files in the directory) into
              the random number generator
-CSP name     Microsoft CSP name
-LMK          Add local machine keyset attribute to private key
    • 0