From Wikipedia, the free encyclopedia
  (Redirected from PKCS12)
Jump to: navigation, search
"PFX" redirects here. For the managed concurrency library from Microsoft, see Parallel FX Library.
The correct title of this article is PKCS #12. The substitution or omission of the # is because of technical restrictions.
PKCS #12
Filename extension .p12, .pfx
Developed by RSA Security
Initial release 1996 (1996)
Latest release
PKCS #12 v1.1
(27 October 2012; 3 years ago (2012-10-27))
Type of format Archive file format
Container for X.509 public key certificates, X.509 private keys, X.509 CRLs, generic data
Extended from Microsoft PFX file format

In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.[1]

A PKCS #12 file may be encrypted and signed. The internal storage containers, called "SafeBags", may also be encrypted and signed. A few SafeBags are predefined to store certificates, private keys and CRLs. Another SafeBag is provided to store any other data at individual implementer's choice. [2][3]

PKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories.

The filename extension for PKCS #12 files is ".p12" or ".pfx".[4]

These files can be created, parsed and read out with the OpenSSL pkcs12 command.[5]

Relationship to PFX file format[edit]

PKCS #12 is the successor to Microsoft's "PFX",[6] however, the terms "PKCS #12 file" and "PFX file" are sometimes used interchangeably.[4][5][7]

Microsoft's "PFX" has received heavy criticism of being one of the most complex cryptographic protocols.[7]

Normal Usage[edit]

The full Pkcs12 standard is very complex. It enables buckets of complex objects such as PKCS 8 structures, nested deeply. But in practice it is normally used to store just one private key and its associated certificate chain.

Pkcs12 files are usually created using OpenSSL, which only support a single private key from the command line interface. The Java keytool can be used to create multiple "Entries" since Java 8, but that may be incompatible with many other systems. The upcoming version of KMIP will also be able to create Pkcs12 files directly.

A simpler, alternative format to PKCS 12 is PEM which just lists the certificates and possibly private keys as Base 64 strings in a text file.


  1. ^
  2. ^ "PKCS #12: Personal Information Exchange Syntax Standard". RSA Laboratories. Retrieved 2013-03-14. This standard specifies a portable format for storing or transporting a user's private keys, certificates, miscellaneous secrets, etc. 
  3. ^ "PKCS 12 v1.0: Personal Information Exchange Syntax" (PDF). RSA Laboratories. 1999-06-24. Retrieved 2013-03-14. 
  4. ^ a b Michel I. Gallant (March 2004). "PKCS #12 File Types: Portable Protected Keys in .NET". Microsoft Corporation. Retrieved 2013-03-14. All Windows operating systems define the extensions .pfx and .p12 as Personal Information Exchange, or PKCS #12, file types. 
  5. ^ a b "OpenSSL: Documents, pkcs12(1)". OpenSSL Project. 2013-01-17. Retrieved 2013-03-14. The pkcs12 command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed. 
  6. ^ Peter Gutmann (August 2002). "Lessons Learned in Implementing and Deploying Crypto Software" (PDF). The USENIX Association. Retrieved 2013-03-14. In 1996 Microsoft introduced a new storage format [...] called PFX (Personal Information Exchange) [...] it was later re-released in a cleaned-up form as PKCS #12 
  7. ^ a b Peter Gutmann (1998-03-12). "PFX - How Not to Design a Crypto Protocol/Standard". Retrieved 2013-03-14. 

External links[edit]