PKCS 12
Filename extension |
.p12, .pfx |
---|---|
Internet media type |
application/x-pkcs12 |
Uniform Type Identifier (UTI) | 0 |
Developed by | RSA Security |
Initial release | 1996 |
Latest release | PKCS #12 v1.1 27 October 2012 |
Type of format | Archive file format |
Container for | X.509 public key certificates, X.509 private keys, X.509 CRLs, generic data |
Extended from | Microsoft PFX file format |
In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.[1]
A PKCS #12 file may be encrypted and signed. The internal storage containers, called "SafeBags", may also be encrypted and signed. A few SafeBags are predefined to store certificates, private keys and CRLs. Another SafeBag is provided to store any other data at individual implementer's choice.[2][3]
PKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories.
The filename extension for PKCS #12 files is ".p12
" or ".pfx
".[4]
These files can be created, parsed and read out with the OpenSSL pkcs12
command.[5]
Relationship to PFX file format
PKCS #12 is the successor to Microsoft's "PFX";[6] however, the terms "PKCS #12 file" and "PFX file" are sometimes used interchangeably.[4][5][7]
Microsoft's "PFX" has received heavy criticism of being one of the most complex cryptographic protocols.[7]
Normal usage
The full PKCS #12 standard is very complex. It enables buckets of complex objects such as PKCS #8 structures, nested deeply. But in practice it is normally used to store just one private key and its associated certificate chain.
PKCS #12 files are usually created using OpenSSL, which only supports a single private key from the command line interface. The Java keytool can be used to create multiple "entries" since Java 8, but that may be incompatible with many other systems; as of Java 9 it is the default keystore format.[8][9] The upcoming version of KMIP will also be able to create PKCS #12 files directly.[citation needed]
A simpler, alternative format to PKCS #12 is PEM which just lists the certificates and possibly private keys as Base 64 strings in a text file.
GnuTLS's certtool may also be used to create PKCS #12 files including certificates, keys, and CA certificates via --to-pk12. However, beware that for interchangeability with other software, if the sources are in PEM Base64 text, then --outder should also be used.
References
- ^ http://help.globalscape.com/help/secureserver3/Generating_a_PKCS_12_private_key_public_certificate.htm
- ^
"PKCS #12: Personal Information Exchange Syntax Standard". RSA Laboratories. Retrieved 2016-02-09.
This standard specifies a portable format for storing or transporting a user's private keys, certificates, miscellaneous secrets, etc.
- ^ "PKCS 12 v1.0: Personal Information Exchange Syntax" (PDF). RSA Laboratories. 1999-06-24. Retrieved 2013-03-14.[permanent dead link]
- ^ a b Michel I. Gallant (March 2004). "PKCS #12 File Types: Portable Protected Keys in .NET". Microsoft Corporation. Retrieved 2013-03-14.
All Windows operating systems define the extensions .pfx and .p12 as Personal Information Exchange, or PKCS #12, file types.
- ^ a b "OpenSSL: Documents, pkcs12(1)". OpenSSL Project. 2013-01-17. Retrieved 2017-03-23.
The pkcs12 command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed.
- ^ Peter Gutmann (August 2002). "Lessons Learned in Implementing and Deploying Crypto Software" (PDF). The USENIX Association. Retrieved 2013-03-14.
In 1996 Microsoft introduced a new storage format [...] called PFX (Personal Information Exchange) [...] it was later re-released in a cleaned-up form as PKCS #12
- ^ a b Peter Gutmann (1998-03-12). "PFX - How Not to Design a Crypto Protocol/Standard". Retrieved 2013-03-14.
- ^ "JEP 229: Create PKCS12 Keystores by Default". OpenJDK JEPs. Oracle Corporation. 2014-05-30.
- ^ Ryan, Vincent (2014-05-30). "Bug JDK-8044445: Create PKCS12 Keystores by Default". Java Bugs.
External links
- "PKCS #12 v1.1: Personal Information Exchange Syntax". RSA Laboratories.
- Moriarty, K., ed. (2014). PKCS #12: Personal Information Exchange Syntax v1.1. IETF. doi:10.17487/RFC7292. RFC 7292.
{{citation}}
: Unknown parameter|month=
ignored (help) - Overview about PKCS#12 capabilities, usage, implementations, history and future: Ryan Hurst and Yury Strozhevsky (2015-12-02). "The PKCS#12 standard needs another update". Unmitigated Risk Blog. Archived from the original on 2017-03-03.
{{cite web}}
:|author=
has generic name (help); External link in
(help)|author=