pkcs12 command-line tool in Certificate Manager

This article is valid for Certificate Manager 8.5 and later.

pkcs12 is a command-line program used to perform operations on PKCS #12 and PKCS #10 files.

The program is located in the <install_root>/tools directory relative to where Smart ID Certificate Manager (CM) is installed. The available set of commands with their supported options and arguments are detailed below the example section.

Generate a PKCS10 request

Syntax

This is the syntax for "Generate a PKCS10 request"

CODE

pkcs12 <pkcs12-file> <password> [-friendlyname <name>] [-localkeyid <id>]
[-provider {<name>|<classname>}]
-certrequest <subject-dn> [-signalgorithm <signAlgId>]

Options and arguments

These are the options and arguments for "Generate a PKCS10 request":

Options and arguments	Description
<pkcs12-file>	The required path and file name of the P12 file to read from or write to.
<password>	The required password for the PKCS12 soft token.
-certrequest <subject-dn>	The required designated name of the subject in the PKCS10 Request.
-friendlyname <name>	The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the `localkeyid` flag must be used.
-localkeyid <id>	The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the `friendlyname` flag must be used.
-signalgorithm <signAlgId>	The optional signature algorithm to use, for example, SHA384withECDSA or SHA256withRSAandMGF1. The default algorithm is SHA256withDSA, ECDSA, -RSA.
-provider {<name>\|<classname>}	The optional name or classname of the JCE provider to use.

Examples

Generate a PKCS10 request using a PKCS12 file:

CODE

pkcs12 example.p12 password -certrequest "O=Nexus,CN=My Name" -friendlyname name

Add a key pair to a PKCS12 soft token

Syntax

This is the syntax for "Add a key pair to a PKCS12 soft token"

CODE

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-provider {<name>|<classname>}]
{-ec [-curve <ec-curve>] | {-dsa | -rsa} [-keylength <length>]}
[-keyalgorithm <keyAlgId>] [-signalgorithm <signAlgId>]

Options and arguments

These are the options and arguments for "Add a key pair to a PKCS12 soft token":

Options and arguments	Description
<pkcs12-file>	The required path and file name of the P12 file to read from or write to.
<password>	The optional password for the PKCS12 soft token.
-friendlyname <name>	The optional friendly name for the new key pair stored in the PKCS12 soft token.
-localkeyid <id>	The optional local key id for the new key pair stored in the PKCS12 soft token. If left unset a random id is generated.
-encryptalgorithm {aes128\| aes192\|aes256\|des3}	The optional encryption-algorithm to use. Choose one of `aes128`, `aes192`, `aes256` or `des3` (default).
-iterations <amount>	The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-provider {<name>\|<classname>}	The optional name or classname of the JCE provider to use.
-ec	Generates a new EC (elliptic curve) key pair.
-curve <ec-curve>	The optional curve to use for the new EC (elliptic curve) key pair, default is secp256r1.
-dsa	Generates a new DSA key pair.
-rsa	Generates a new RSA key pair.
-keylength <length>	The optional length of the RSA/DSA key pair to be generated, default is 2048 bits for RSA and 1024 bits for DSA.
-keyalgorithm <keyAlgID>	The optional key algorithm to use.
-signalgorithm <SignAlgId>	The optional signature algorithm to use.

Examples

Generate an RSA key pair and store in a PKCS12 file:

CODE

pkcs12 example.p12 password -rsa

Generate an EC key pair and store in a PKCS12 file:

CODE

pkcs12 example.p12 password -ec

Add a certificate to a PKCS12 soft token

Syntax

This is the syntax for "Add a certificate to a PKCS12 soft token":

CODE

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-provider {<name>|<classname>}] -updatecert <cert-file>

Options and arguments

These are the options and arguments for "Add a certificate to a PKCS12 soft token":

Options and arguments	Description
<pkcs12-file>	The required path and file name of the P12 file to read from or write to.
<password>	The optional password for the PKCS12 soft token.
-friendlyname <name>	The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the `localkeyid` flag must be used.
-localkeyid <id>	The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the `friendlyname` flag must be used.
-encryptalgorithm {aes128\| aes192\|aes256\|des3}	The optional encryption-algorithm to use.Choose one of `aes128`, `aes192`, `aes256` or `des3` (default).
-iterations <amount>	The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-provider {<name>\|<classname>}	The optional name or classname of the JCE provider to use.
-updatecert <cert-file>	The required name of the certificate file to add to the PKCS12 soft token.

Examples

Add a certificate to a PKCS12 file:

CODE

pkcs12 example.p12 password -updatecert certificate.cer -friendlyname name

Remove a key pair from a PKCS12 soft token

Syntax

This is the syntax for "Remove a key pair from a PKCS12 soft token":

CODE

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-provider {<name>|<classname>}] -remove

Options and arguments

These are the options and arguments for "Remove a key pair from a PKCS12 soft token":

Options and arguments	Description
<pkcs12-file>	The required path and file name of the P12 file to read from or write to.
<password>	The optional password for the PKCS12 soft token.
-friendlyname <name>	The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the `localkeyid` flag must be used.
-localkeyid <id>	The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the `friendlyname` flag must be used.
-encryptalgorithm {aes128\| aes192\|aes256\|des3}	The optional encryption-algorithm to use. Choose one of `aes128`, `aes192`, `aes256` or `des3` (default).
-iterations <amount>	The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-provider {<name>\|<classname>}	The optional name or classname of the JCE provider to use.
-remove	The required flag signalling that the designated key pair should be removed from the PKCS12 soft token.

Examples

Remove a key pair from a PKCS12 file:

CODE

pkcs12 example.p12 password -remove -friendlyname name

Export or view the contents of a PKCS12 soft token

Syntax

This is the syntax for "Export or view the contents of a PKCS12 soft token":

CODE

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-provider {<name>|<classname>}] [-all] [-out <bag-filename-prefix>]

Options and arguments

These are the options and arguments for "Export or view the contents of a PKCS12 soft token":

Options and arguments	Description
<pkcs12-file>	The required path and file name of the P12 file to read from or write to.
<password>	The optional password for the PKCS12 soft token.
-friendlyname <name>	The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the `localkeyid` flag must be used.
-localkeyid <id>	The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the `friendlyname` flag must be used.
-provider {<name>\|<classname>}	The optional name or classname of the JCE provider to use.
-all	The optional flag signalling that everything in the stored certificate should be printed.
-out <bag-filename-prefix>	The optional flag signalling that everything in the stored PKCS12 soft token should be exported with the given prefix.

Examples

Detail the contents of a PKCS12 file:

CODE

pkcs12 example.p12 password -all

Extract the contents of a PKCS12 file:

CODE

pkcs12 example.p12 password -out example