Keywords: PKCS#12 | OpenSSL | SSH public key authentication | key extraction | format conversion
Abstract: This article provides a detailed explanation of how to use OpenSSL to extract public and private keys from PKCS#12 files and convert them for use in SSH public key authentication. It covers the basics of PKCS#12 format, specific extraction commands, the necessity of format conversion, and practical steps for SSH configuration. Through step-by-step examples and in-depth analysis, it helps readers understand the core principles and implementation methods of certificate format conversion.
Overview of PKCS#12 Format
PKCS#12 (Public-Key Cryptography Standards #12) is a container format used to store encrypted private keys and corresponding certificates, typically with .pfx or .p12 file extensions. This format is widely used in Windows systems and web server configurations because it bundles the private key, certificate, and certificate chain into a single file, facilitating transport and management.
In a PKCS#12 file, the private key is usually stored in an encrypted form, requiring a password for access. The public key is embedded within an X.509 certificate, which may include additional metadata such as issuer information and validity periods. Understanding this structure is crucial for correctly extracting the keys.
Extracting Private Key with OpenSSL
To extract the private key from a PKCS#12 file, use the OpenSSL pkcs12 command. The following command extracts the private key into a PEM-formatted file:
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pemIn this command, the -nocerts option ensures only the private key is extracted without certificates, and -out specifies the output file. When executed, the system will prompt for the PKCS#12 file password. If the private key is encrypted within the container, a decryption password may also be required. The output file privateKey.pem contains the private key in PKCS#1 or PKCS#8 format, depending on the original file's encoding.
Note that the extracted private key might still be encrypted. To avoid repeated password entries in subsequent uses, you can add the -nodes option (no encryption of private key), but this reduces security and is recommended only in secure environments.
Extracting Public Key and Certificate
The public key is typically extracted from the X.509 certificate. Use the following command to extract the certificate (which contains the public key) from the PKCS#12 file:
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pemHere, the -clcerts option extracts only the client certificate (not the entire certificate chain), and -nokeys ensures no private key is included. The output file publicCert.pem contains the X.509 certificate in PEM format, with the public key embedded. To extract the public key separately from the certificate, you can further use openssl x509 -pubkey -noout -in publicCert.pem.
In some cases, the PKCS#12 file may include a certificate chain. As mentioned in the reference article, using -clcerts might not extract the full chain. If intermediate or root certificates are needed, omit -clcerts, but note that this could output multiple certificates requiring manual separation.
Format Conversion and SSH Compatibility
SSH public key authentication typically uses OpenSSH-formatted public keys, whereas public keys in PKCS#12 are based on X.509 certificates. Therefore, directly using the extracted certificate may not be compatible with SSH. It is necessary to convert the public key from the certificate to OpenSSH format.
Referencing other answers, the conversion can be done as follows: First, extract the public key from the certificate:
openssl x509 -pubkey -noout -in publicCert.pemThen, convert the format using the ssh-keygen tool:
openssl x509 -pubkey -noout -in publicCert.pem | ssh-keygen -f /dev/stdin -i -m PKCS8This command converts the PKCS#8 formatted public key to an OpenSSH-compatible format. The output can be directly added to the ~/.ssh/authorized_keys file.
For the private key, if the extracted format is not directly usable by SSH, similar conversion might be needed. For example, use openssl rsa -in privateKey.pem -pubout to generate a public key, or directly use ssh-keygen -y -f privateKey.pem to export the public key (if the private key format is compatible).
Practical Application and Configuration
When configuring public key authentication on an SSH server, add the converted public key content to the target user's ~/.ssh/authorized_keys file. For instance, if the converted public key is stored in ssh_public_key.pub, run:
cat ssh_public_key.pub >> ~/.ssh/authorized_keysEnsure correct file permissions: authorized_keys should be 600 (read-write for user only), and the ~/.ssh directory should be 700. On the client side, use the extracted private key for connection:
ssh -i privateKey.pem user@hostnameIf the private key is encrypted, SSH will prompt for the password. For convenience, consider using ssh-agent to manage private key passwords.
The reference article's example of extracting certificates and keys from PKCS#12 for web servers (e.g., Apache) highlights the versatility of this extraction method across various scenarios. Whether for SSH or HTTPS configuration, the core steps are similar: extract, convert, and apply.
Security Considerations
Security is paramount when handling PKCS#12 files. Private keys should always be stored and transmitted in secure environments, avoiding plaintext exposure. When using the -nodes option to extract unencrypted private keys, assess the risks and ensure strict file system permissions (e.g., set file permissions to 600).
Additionally, regular key and certificate rotation is a best practice. If the PKCS#12 file is from an external source, verify its authenticity and integrity to prevent man-in-the-middle attacks. In SSH configurations, using strong passwords and two-factor authentication can further enhance security.
Summary and Extensions
Using OpenSSL tools to extract public and private keys from PKCS#12 files for SSH public key authentication is feasible and efficient. Key steps include extracting private keys and certificates, format conversion, and SSH configuration. This approach is not only applicable to SSH but can also be extended to other key management scenarios, such as TLS certificate deployment.
In the future, with advancements in automation tools, such as scripting for batch processing of multiple PKCS#12 files, efficiency can be further improved. Understanding the underlying principles aids in troubleshooting and customizing workflows, ensuring flexible application in complex environments.