Extract certificate and private key from a pkcs12 container in Digital Access

This article describes how to extract the certificate and private key from a pkcs12 container for use in Smart ID Digital Access component.

Prerequisites

• OpenSSL must be installed on your machine. You can read more here: https://www.openssl.org/source/

• You must have access to the .pfx file and the import password for the certificate.

Extract root CA certificate

openssl x509 -in certificate.p12 -out root.crt -nokeys -cacerts

This command extracts the root certificate and save it to the root-certificate.pem file.

Extract intermediate CA certificate

openssl x509 -in certificate.p12 -out intermediate.crt -nokeys -clcerts

This command extracts the intermediate certificate and save it to intermediate-certificate.pem file.

Extract public certificate

openssl pkcs12 -in certificate.p12 -out certificate.pem -clcerts -nokeys

This command extracts the public certificate and saves it to certificate.pem file.

Extract manually in Windows

You can also extract the root CA certificate and intermediate CA certificate from the certificate chain manually in Windows. This is done from a PFX file manually without the commands. Do the following.

1. Extract the certificates from the PFX file.

2. View the contents of the certificates to identify the root certificate and the intermediate certificates.

3. Export the root and intermediate certificates to separate files.

Extract Private Key

The following commands extracts private key from the PFX file and saves it in the private_key.pem file.

Encrypted

openssl pkcs8 -topk8 -inform PEM -outform PEM  -in in.key -out out.pkcs8 -v1 PBE-MD5-DES

Ensure that you have provided the password as the key is encrypted.

Unencrypted

openssl pkcs12 -in certificate.p12 -out key.pem -nocerts -nodes

Configuration in Digital Access

Once you have the private key and certificate files, configure it in the Digital Access by the following steps from Add certificates in Digital Access.