Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


Skip to end of metadata
Go to start of metadata

pkcs12 is a command-line program used to perform operations on PKCS #12 and PKCS #10 files. The program is located in the <install_root>/tools directory relative to where Smart ID Certificate Manager (CM) is installed. The available set of commands with their supported options and arguments are detailed below the example section.

Expand/Collapse All

Generate a PKCS10 request


 Syntax

This is the syntax for "Generate a PKCS10 request"

pkcs12 <pkcs12-file> <password> [-friendlyname <name>] [-localkeyid <id>]
[-bc] [-provider {<name>|<classname>}]
-certrequest <subject-dn> [-signalgorithm <signAlgId>]
 Options and arguments

These are the options and arguments for "Generate a PKCS10 request":

Options and argumentsDescription
<pkcs12-file>The required path and file name of the P12 file to read from or write to.
<password>The required password for the PKCS12 soft token.
-certrequest <subject-dn>The required designated name of the subject in the PKCS10 Request.
-friendlyname <name>The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used.
-localkeyid <id>The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used.
-signalgorithm <signAlgId> The optional signature algorithm to use, for example, SHA384withECDSA or SHA256withRSAandMGF1. The default algorithm is SHA256withDSA,  ECDSA, -RSA.
-bcThe optional flag signalling usage of Bouncy Castle as the JCE provider.
-provider {<name>|<classname>}The optional name or classname of the JCE provider to use.
 Examples

Generate a PKCS10 request using a PKCS12 file:

pkcs12 example.p12 password -bc -certrequest "O=Nexus,CN=My Name" -friendlyname name

Add a key pair to a PKCS12 soft token


 Syntax

This is the syntax for "Add a key pair to a PKCS12 soft token"

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-bc] [-provider {<name>|<classname>}]
{-ec [-curve <ec-curve>] | {-dsa | -rsa} [-keylength <length>]}
[-keyalgorithm <keyAlgId>] [-signalgorithm <signAlgId>]
 Options and arguments

These are the options and arguments for "Add a key pair to a PKCS12 soft token":

Options and argumentsDescription
<pkcs12-file>The required path and file name of the P12 file to read from or write to.
<password>The optional password for the PKCS12 soft token.
-friendlyname <name>The optional friendly name for the new key pair stored in the PKCS12 soft token.
-localkeyid <id>The optional local key id for the new key pair stored in the PKCS12 soft token. If left unset a random id is generated.
-encryptalgorithm {aes128|
aes192|aes256|des3}
The optional encryption-algorithm to use. Choose one of aes128, aes192, aes256 or des3 (default).
-iterations <amount>The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-bcThe optional flag signalling usage of Bouncy Castle as the JCE provider.
-provider {<name>|<classname>}The optional name or classname of the JCE provider to use.
-ecGenerates a new EC (elliptic curve) key pair.
-curve <ec-curve>The optional curve to use for the new EC (elliptic curve) key pair, default is secp256r1.
-dsaGenerates a new DSA key pair.
-rsaGenerates a new RSA key pair.
-keylength <length>

The optional length of the RSA/DSA key pair to be generated, default is 2048 bits for RSA and 1024 bits for DSA.

-keyalgorithm <keyAlgID>The optional key algorithm to use.
-signalgorithm <SignAlgId>The optional signature algorithm to use.
 Examples

Generate an RSA key pair and store in a PKCS12 file:

pkcs12 example.p12 password -bc -rsa

Generate an EC key pair and store in a PKCS12 file:

pkcs12 example.p12 password -bc -ec

Add a certificate to a PKCS12 soft token


 Syntax

This is the syntax for "Add a certificate to a PKCS12 soft token":

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-bc] [-provider {<name>|<classname>}] -updatecert <cert-file>
 Options and arguments

These are the options and arguments for "Add a certificate to a PKCS12 soft token":

Options and argumentsDescription
<pkcs12-file>The required path and file name of the P12 file to read from or write to.
<password>The optional password for the PKCS12 soft token.
-friendlyname <name>The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used.
-localkeyid <id>The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used.
-encryptalgorithm {aes128|
aes192|aes256|des3}
The optional encryption-algorithm to use.Choose one of aes128, aes192, aes256 or des3 (default).
-iterations <amount>The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-bcThe optional flag signalling usage of Bouncy Castle as the JCE provider.
-provider {<name>|<classname>}The optional name or classname of the JCE provider to use.
-updatecert <cert-file>The required name of the certificate file to add to the PKCS12 soft token.
 Examples

Add a certificate to a PKCS12 file:

pkcs12 example.p12 password -updatecert certificate.cer -friendlyname name

Remove a key pair from a PKCS12 soft token


 Syntax

This is the syntax for "Remove a key pair from a PKCS12 soft token":

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-bc] [-provider {<name>|<classname>}] -remove
 Options and arguments

These are the options and arguments for "Remove a key pair from a PKCS12 soft token":

Options and argumentsDescription
<pkcs12-file>The required path and file name of the P12 file to read from or write to.
<password>The optional password for the PKCS12 soft token.
-friendlyname <name>The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used.
-localkeyid <id>The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used.
-encryptalgorithm {aes128|
aes192|aes256|des3}
The optional encryption-algorithm to use. Choose one of aes128, aes192, aes256 or des3 (default).
-iterations <amount>The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-bcThe optional flag signalling usage of Bouncy Castle as the JCE provider.
-provider {<name>|<classname>}The optional name or classname of the JCE provider to use.
-removeThe required flag signalling that the designated key pair should be removed from the PKCS12 soft token.
 Examples

Remove a key pair from a PKCS12 file:

pkcs12 example.p12 password -remove -friendlyname name

Export or view the contents of a PKCS12 soft token


 Syntax

This is the syntax for "Export or view the contents of a PKCS12 soft token":

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-bc] [-provider {<name>|<classname>}] [-all] [-out <bag-filename-prefix>]
 Options and arguments

These are the options and arguments for "Export or view the contents of a PKCS12 soft token":

Options and argumentsDescription
<pkcs12-file>The required path and file name of the P12 file to read from or write to.
<password>The optional password for the PKCS12 soft token.
-friendlyname <name>The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used.
-localkeyid <id>The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used.
-bcThe optional flag signalling usage of Bouncy Castle as the JCE provider.
-provider {<name>|<classname>}The optional name or classname of the JCE provider to use.
-allThe optional flag signalling that everything in the stored certificate should be printed.
-out <bag-filename-prefix>The optional flag signalling that everything in the stored PKCS12 soft token should be exported with the given prefix.
 Examples

Detail the contents of a PKCS12 file:

pkcs12 example.p12 password -all

Extract the contents of a PKCS12 file:

pkcs12 example.p12 password -out example

This article is valid for Certificate Manager 8.1 and later.

Related information