I try to manage in a C library multiple RSA keys and certificates in a PKCS#12 structure. Managing a single key with the primitives PKCS12_create and PKCS12_parse works fine, but I can't find anything about managing multiple keys. I tried to use the safes and bags primitives but I only succeed to corrupt my PKCS12.
Does OpenSSL's PKCS#12 allow multiple keys and certificates in PKCS#12 structure? If so, then how do I manage multiple keys and certificates using the PKCS#12 API?
Thanks all
In Request Handling, select Allow private key to be exported. Unlike SCEP, with PKCS the certificate private key is generated on the server where the certificate connector is installed and not on the device.
Some software requires a stand alone private key instead of a keystore for authentication, signing, etc. To extract the private key from a keystore, run the following command: openssl pkcs12 -in keystore.p12 -nocerts -nodes Note that secret keys are not supported with openssl in a pkcs12 keystore.
To extract a certificate or certificate chain from a PKCS12 keystore using openssl, run the following command: Where -in example.p12 is the keystore and -nokeys means only extract the certificates and not the keys.
By default, the SSH command will use the default RSA key ~/.ssh/id_rsa. However, we can specify the key using the-i argument with the path of a specific private key. For example, if your private key is called ~/.ssh/aws_vpc1, we can use the following command to instruct SSH to use it.
PKCS#12 is a complicated data structure.  All of the operations that PKCS12_parse use are public API, it just tries to simplify the simple case.  The entire 245 lines of p12_kiss.c (one presumes Keep It Simple, Stupid) are PKCS12_parse and its (non-public) helper routines.
p12_crt.c is another 291 lines of "man, this file format is complicated", which is just PKCS12_create.
Managing multiple files is easier code, but if you want to take the complexity into your code you can simplify your file operations.
Don't forget to call PKCS12_SAFEBAG_create_pkcs8_encrypt on the private key bags. Your keys aren't encrypted unless you call it, and (IIRC) Apple's PFX reader won't load keys out of unencrypted bags (probably not an intentional decision, they just likely never experienced it).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With