PKCS 12
| Filename extension | |
|---|---|
| Internet media type | application/x-pkcs12 |
| Uniform Type Identifier (UTI) | com.rsa.pkcs-12[1] |
| Developed by | RSA Security |
| Initial release | 1996 |
| Latest release | PKCS #12 v1.1 (27 October 2012) |
| Type of format | Archive file format |
| Container for | X.509 public key certificates, X.509 private keys, X.509 CRLs, generic data |
| Extended from | Microsoft PFX file format |
In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.
A PKCS #12 file may be encrypted and signed. The internal storage containers, called "SafeBags", may also be encrypted and signed. A few SafeBags are predefined to store certificates, private keys and CRLs. Another SafeBag is provided to store any other data at individual implementer's choice.[2][3]
PKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories.
The filename extension for PKCS #12 files is .p12 or .pfx.[4]
These files can be created, parsed and read out with the OpenSSL pkcs12 command.[5]
Relationship to PFX file format
PKCS #12 is the successor to Microsoft's "PFX";[6] however, the terms "PKCS #12 file" and "PFX file" are sometimes used interchangeably.[4][5][7]
The PFX format has been criticized for being one of the most complex cryptographic protocols.[7]
Normal usage
PKCS #12 files are usually created using OpenSSL, which only supports a single private key from the command line interface. The Java keytool can be used to create multiple "entries" since Java 8, but that may be incompatible with many other systems.[8] As of Java 9 (released 2017-09-21), PKCS #12 is the default keystore format.[9][10]
A simpler, alternative format to PKCS #12 is PEM which just lists the certificates and possibly private keys as Base 64 strings in a text file.
GnuTLS's certtool may also be used to create PKCS #12 files including certificates, keys, and CA certificates via --to-p12. However, beware that for interchangeability with other software, if the sources are in PEM Base64 text, then --outder should also be used.
References
- ↑ "pkcs12". Apple Developer Documentation: Uniform Type Identifiers. Apple Inc. https://developer.apple.com/documentation/uniformtypeidentifiers/uttype/3551547-pkcs12.
- ↑ "PKCS #12: Personal Information Exchange Syntax Standard". RSA Laboratories. http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs12-personal-information-exchange-syntax-standard.htm. "This standard specifies a portable format for storing or transporting a user's private keys, certificates, miscellaneous secrets, etc."
- ↑ "PKCS 12 v1.0: Personal Information Exchange Syntax". RSA Laboratories. 1999-06-24. https://ftp.gnome.org/mirror/archive/ftp.sunet.se/pub/security/docs/PCA/PKCS/ftp.rsa.com/pkcs-12/pkcs-12v1.pdf.
- ↑ 4.0 4.1 Michel I. Gallant (March 2004). "PKCS #12 File Types: Portable Protected Keys in .NET". Microsoft Corporation. https://docs.microsoft.com/en-us/previous-versions/ms867088(v=msdn.10). Retrieved 2013-03-14. "All Windows operating systems define the extensions .pfx and .p12 as Personal Information Exchange, or PKCS #12, file types."
- ↑ 5.0 5.1 "openssl-cmds: pkcs12". OpenSSL Project. 2019. https://www.openssl.org/docs/manmaster/man1/pkcs12.html. Retrieved 2020-01-16. "The pkcs12 command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed."
- ↑ Peter Gutmann (August 2002). "Lessons Learned in Implementing and Deploying Crypto Software". The USENIX Association. https://static.usenix.org/events/sec02/full_papers/gutmann/gutmann.pdf. Retrieved 2020-01-16. "In 1996 Microsoft introduced a new storage format [...] called PFX (Personal Information Exchange) [...] it was later re-released in a cleaned-up form as PKCS #12"
- ↑ 7.0 7.1 Peter Gutmann (1998-03-12). "PFX - How Not to Design a Crypto Protocol/Standard". https://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html. Retrieved 2020-01-16.
- ↑ Kai Kramer (2016-06-05). "p12 files don't show root and sub CA certificates #35". https://github.com/kaikramer/keystore-explorer/issues/35. "There exists a general problem when the extremely flexible PKCS#12 format is pushed into the keystore API. [...] 2.16.840.1.113894.746875.1.1: <Unsupported tag 6>"
- ↑ "JEP 229: Create PKCS12 Keystores by Default". OpenJDK JEPs. Oracle Corporation. 2014-05-30. https://openjdk.java.net/jeps/229.
- ↑ Ryan, Vincent (2014-05-30). "Bug JDK-8044445: Create PKCS12 Keystores by Default". JDK Bug System. https://bugs.openjdk.java.net/browse/JDK-8044445.
External links
- RFC 7292 - PKCS #12: Personal Information Exchange Syntax v1.1
- "PKCS #12: Personal Information Exchange Syntax Standard". RSA Laboratories. http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs12-personal-information-exchange-syntax-standard.htm. "This standard specifies a portable format for storing or transporting a user's private keys, certificates, miscellaneous secrets, etc."
- Overview about PKCS#12 capabilities, usage, implementations, history and future: Ryan Hurst and Yury Strozhevsky (2015-12-02). "The PKCS#12 standard needs another update". https://unmitigatedrisk.com/?p=543.
 |  |
