Bootstrap FreeKB - OpenSSL - Display the contents of a PKCS12 file
OpenSSL - Display the contents of a PKCS12 file
Updated:   |  OpenSSL articles

Let's say you have a PFX or P12 file named example.pfx or example.p12.The OpenSSL command with the -info and -in options can be used to display the contents of the PFX / P12 file.

openssl pkcs12 -in example.pfx -info

 

You should be prompted to provide the password that was used to secure the PFX / P12 file. If you do not want to be prompted for the password, the -passin option can be used to include the password on the command line.

openssl pkcs12 -in example.pfx -passin pass:your_password -info

 

If you are also prompted to enter a PEM pass phrase . . .

Enter PEM pass phrase:

 

The -passout option can be used to include the password on the command line.

openssl pkcs12 -in example.pfx -passin pass:your_password -passout pass:your_password -info

 

After providing the valid password, something like this should be displayed.

MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: E5 6D 55 73 09 C7 DF 9D C6 B4 F4 13 A2 92 F6 1E 21 62 BA 31 
subject=/C=US/ST=WI/L=Appleton/O=demo/OU=demo
issuer=/C=US/ST=WI/L=Appleton/O=demo/OU=demo
-----BEGIN CERTIFICATE-----
MIIDEjCCAfoCCQCXoHahGXonlDANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCV0kxETAPBgNVBAcMCEFwcGxldG9uMQ0wCwYDVQQKDARkZW1v
MQ0wCwYDVQQLDARkZW1vMB4XDTIwMDYwNTEwNTkwMFoXDTIxMDYwNTEwNTkwMFow
SzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldJMREwDwYDVQQHDAhBcHBsZXRvbjEN
MAsGA1UECgwEZGVtbzENMAsGA1UECwwEZGVtbzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAOe9uSinqxx+Rz+0TS44adz0UgNNhSsY5AkULpKGh5PIrWzX
qwCZCMxLxArE9ywlV5ud6qEjX7LslXTkzH5kBjm6QxjXKxl2poeuRVdyBnECyIIs
J4FY8n4l6bjdac3UfP8i8Ut2gv5xs/JiE1o0GO2WJqt4RnwyHLBNoLZLT6B7TaP8
vQZ/PDLOZPxZHW+pGqVOi8Rl1qOSYgEXa4EagTL+b1dRC1ueaxLSF9BAEnZymCvu
oVpVSefkfPNy71E2A2Ir5T6POdNCDKTQcJzEZavgk9MJseUNCrQHnaEoc+z/CFMn
1KthGSWVFg6PNBcPapoatg6XHs45tEcSz2fdsC0CAwEAATANBgkqhkiG9w0BAQsF
AAOCAQEAGNp8ZGM0KgfZQBnYgMZlml1k4VW/QGGgefdSkmDHLppMWfCOGnaH1RrU
8Oj0cdfM48wsZN5ZfAEGavEunPYxRjiH8RJJz4wkuZazIuXvT46tnavLuZNJwr1c
OYPuJovcDutBOtSlrL+sqKWFcDABEJvpJ9BPCWMdUVRwXDxoANdM0Rfg75CSUhkf
1cYMqO9yZJx1IWFBPa+AAHyLrGacjo88Q3pWcdJVTkE8/mjcIqt50OuR03PN579f
z7m8gEpjhd1RgzwaADIpDmbwOVMmIY7SIhBSkhZDvuLa/hARANbIvuYY9bjLzCPc
81ZtsHyRVksGFn+29yN61Tn1hQyK9g==
-----END CERTIFICATE-----

 

Often, the private key block is included in the output. The -nokeys flag can be used so that the private key block is not included in the output.

openssl pkcs12 -in example.pfx -passin pass:your_password -passout pass:your_password -info -nokeys

 

Sometimes, the output will contain 3 certificates, the client certificate, the intermediate certificate, and the root certificate authority (CA). The -clcerts option can be used if you only need the client certificate.

openssl pkcs12 -in example.pfx -passin pass:your_password -passout pass:your_password -info -nokeys -clcerts

 

Or the -cacerts option can be used if you only need the intermediate certificate and the root certificate authority (CA).

openssl pkcs12 -in example.pfx -passin pass:your_password -passout pass:your_password -info -nokeys -cacerts

 

Notice the output begins with the following lines.

MAC Iteration 2048
MAC verified OK

 

2>/dev/null can be used to suppress these lines from the output.

openssl pkcs12 -in example.pfx -passin pass:your_password -passout pass:your_password -info -nokeys -clcerts 2>/dev/null

 

Notice the output includes with the following lines.

Bag Attributes
    localKeyID: E5 6D 55 73 09 C7 DF 9D C6 B4 F4 13 A2 92 F6 1E 21 62 BA 31 
subject=/C=US/ST=WI/L=Appleton/O=demo/OU=demo
issuer=/C=US/ST=WI/L=Appleton/O=demo/OU=demo

 

If using the -clcerts option, the output should only contain a single client certificate. In this scenario, sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' can be used to only return the certificate data, and the output can be redirected to > example.cer to create a file that contains the client certificate.

openssl pkcs12 -in example.pfx -passin pass:your_password -passout pass:your_password -info -nokeys -clcerts 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > example.cer

 

Or the openssl x509 command can be used to display the certificate data without having to redirect the output to a file.

openssl pkcs12 -in example.pfx -passin pass:your_password -passout pass:your_password -info -nokeys -clcerts 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | openssl x509 -text -noout

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 34c590 in the box below so that we can be sure you are a human.