FreeKB - OpenSSL Display content of a PFX or P12 file
OpenSSL - Display content of a PFX or P12 file

Let's say you have a PFX or P12 file named example.pfx or example.p12.The OpenSSL command with the -info and -in options can be used to display the contents of the PFX / P12 file.

openssl pkcs12 -in example.pfx -info

 

You should be prompted to provide the password that was used to secure the PFX / P12 file. If you do not want to be prompted for the password, the -passin option can be used to include the password on the command line.

openssl pkcs12 -in example.pfx -passin pass:your_password -info

 

If you are also prompted to enter a PEM pass phrase . . .

Enter PEM pass phrase:

 

The -passout option can be used to include the password on the command line.

openssl pkcs12 -in example.pfx -passin pass:your_password -passout pass:your_password -info

 

After providing the valid password, something like this should be displayed.

MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: E5 6D 55 73 09 C7 DF 9D C6 B4 F4 13 A2 92 F6 1E 21 62 BA 31 
subject=/C=US/ST=WI/L=Appleton/O=demo/OU=demo
issuer=/C=US/ST=WI/L=Appleton/O=demo/OU=demo
-----BEGIN CERTIFICATE-----
MIIDEjCCAfoCCQCXoHahGXonlDANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCV0kxETAPBgNVBAcMCEFwcGxldG9uMQ0wCwYDVQQKDARkZW1v
MQ0wCwYDVQQLDARkZW1vMB4XDTIwMDYwNTEwNTkwMFoXDTIxMDYwNTEwNTkwMFow
SzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldJMREwDwYDVQQHDAhBcHBsZXRvbjEN
MAsGA1UECgwEZGVtbzENMAsGA1UECwwEZGVtbzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAOe9uSinqxx+Rz+0TS44adz0UgNNhSsY5AkULpKGh5PIrWzX
qwCZCMxLxArE9ywlV5ud6qEjX7LslXTkzH5kBjm6QxjXKxl2poeuRVdyBnECyIIs
J4FY8n4l6bjdac3UfP8i8Ut2gv5xs/JiE1o0GO2WJqt4RnwyHLBNoLZLT6B7TaP8
vQZ/PDLOZPxZHW+pGqVOi8Rl1qOSYgEXa4EagTL+b1dRC1ueaxLSF9BAEnZymCvu
oVpVSefkfPNy71E2A2Ir5T6POdNCDKTQcJzEZavgk9MJseUNCrQHnaEoc+z/CFMn
1KthGSWVFg6PNBcPapoatg6XHs45tEcSz2fdsC0CAwEAATANBgkqhkiG9w0BAQsF
AAOCAQEAGNp8ZGM0KgfZQBnYgMZlml1k4VW/QGGgefdSkmDHLppMWfCOGnaH1RrU
8Oj0cdfM48wsZN5ZfAEGavEunPYxRjiH8RJJz4wkuZazIuXvT46tnavLuZNJwr1c
OYPuJovcDutBOtSlrL+sqKWFcDABEJvpJ9BPCWMdUVRwXDxoANdM0Rfg75CSUhkf
1cYMqO9yZJx1IWFBPa+AAHyLrGacjo88Q3pWcdJVTkE8/mjcIqt50OuR03PN579f
z7m8gEpjhd1RgzwaADIpDmbwOVMmIY7SIhBSkhZDvuLa/hARANbIvuYY9bjLzCPc
81ZtsHyRVksGFn+29yN61Tn1hQyK9g==
-----END CERTIFICATE-----

 

Often, the private key block is included in the output. The -nokeys flag can be used so that the private key block is not included in the output.

openssl pkcs12 -in example.pfx -passin pass:your_password -passout pass:your_password -info -nokeys

 

Sometimes, the output will contain 3 certificates, the client certificate, the intermediate certificate, and the root certificate authority (CA). The -clcerts option can be used if you only need the client certificate.

openssl pkcs12 -in example.pfx -passin pass:your_password -passout pass:your_password -info -nokeys -clcerts

 

Or the -cacerts option can be used if you only need the intermediate certificate and the root certificate authority (CA).

openssl pkcs12 -in example.pfx -passin pass:your_password -passout pass:your_password -info -nokeys -cacerts

 

Notice the output begins with the following lines.

MAC Iteration 2048
MAC verified OK

 

2>/dev/null can be used to suppress these lines from the output.

openssl pkcs12 -in example.pfx -passin pass:your_password -passout pass:your_password -info -nokeys -clcerts 2>/dev/null

 

Notice the output includes with the following lines.

Bag Attributes
    localKeyID: E5 6D 55 73 09 C7 DF 9D C6 B4 F4 13 A2 92 F6 1E 21 62 BA 31 
subject=/C=US/ST=WI/L=Appleton/O=demo/OU=demo
issuer=/C=US/ST=WI/L=Appleton/O=demo/OU=demo

 

If using the -clcerts option, the output should only contain a single client certificate. In this scenario, sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' can be used to only return the certificate data, and the output can be redirected to > example.cer to create a file that contains the client certificate.

openssl pkcs12 -in example.pfx -passin pass:your_password -passout pass:your_password -info -nokeys -clcerts 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > example.cer

 

Or the openssl x509 command can be used to display the certificate data without having to redirect the output to a file.

openssl pkcs12 -in example.pfx -passin pass:your_password -passout pass:your_password -info -nokeys -clcerts 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | openssl x509 -text -noout

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter a17a4 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |