How to Create PKCS12 from CRT and KEY with OpenSSL

Create a PKCS12 (.p12) keystore from CRT and KEY with OpenSSL pkcs12 -export for Java keytool, Oracle JSSE, and IBM apps. Covers alias, chain, self-signed certs, -legacy for older Java, cert-only bundles, and verification with keytool.

Published

Updated

Read time 6 min read

Reviewed byDeepak Prasad

How to Create PKCS12 from CRT and KEY with OpenSSL

PKCS#12 (.p12, also called .pfx) is the standard container that merges a certificate and private key into one password-protected file. Java keytool, Oracle middleware, IBM products, and many enterprise installers expect PKCS12—not separate PEM files. OpenSSL creates it with the same pkcs12 -export command whether you call the output .p12 or .pfx.

This guide focuses on PKCS12 terminology and workflows: CA-signed and self-signed CRT + KEY, Java keystore aliases, intermediate chains, legacy options for older Java versions, certificate-only bundles, and verification with keytool. I ran every command on Ubuntu 25.04 with OpenSSL 3.4.1 and Java 17. For Windows IIS-focused export (TripleDES, -legacy details), see Create PFX from CRT and KEY—the commands are the same; only the target platform docs differ.

Tested on: Ubuntu 25.04 (Plucky Puffin); kernel 6.14.0-37-generic; OpenSSL 3.4.1; OpenJDK 17.


Quick answer: create PKCS12 from CRT and KEY

bash
openssl pkcs12 -export \
  -in certificate.crt \
  -inkey private.key \
  -out keystore.p12 \
  -passout pass:YourStorePassword \
  -name myalias

Verify structure:

bash
openssl pkcs12 -in keystore.p12 -passin pass:YourStorePassword -info -noout
text
Certificate bag
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048

List with Java keytool:

bash
keytool -list -storetype PKCS12 -keystore keystore.p12 -storepass YourStorePassword
text
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

myalias, Jul 2, 2026, PrivateKeyEntry,

PKCS12 vs PFX vs P12

Term Meaning
PKCS#12 Standard name (RFC 7292)
PKCS12 Same standard, common in Java/Oracle/IBM docs
.p12 File extension for Java keystores
.pfx Same format; common on Windows/IIS

One OpenSSL subcommand handles all of them: openssl pkcs12 -export. The PFX guide covers IIS import quirks; this page emphasizes Java and enterprise keystore usage.


Files required and key/cert match check

Input Purpose
Leaf .crt / .pem End-entity certificate in -in
private.key Matching private key in -inkey
intermediate.crt / bundle Optional chain via -certfile

Confirm the CRT and KEY belong together before export:

bash
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa  -noout -modulus -in private.key  | openssl md5

If the hashes differ, OpenSSL fails with No cert in -in file matches private key.


Create PKCS12 from CA-signed CRT and KEY

bash
openssl pkcs12 -export \
  -in certificate.crt \
  -inkey private.key \
  -out keystore.p12 \
  -passout pass:StorePass123 \
  -name servercert

-name sets the keystore alias Java and many apps display (similar to keytool -alias).

Include intermediate CAs:

bash
cat intermediate.crt root.crt > chain.pem

openssl pkcs12 -export \
  -in certificate.crt \
  -inkey private.key \
  -certfile chain.pem \
  -out keystore.p12 \
  -passout pass:StorePass123 \
  -name servercert

Two Certificate bag lines in -info output mean the leaf plus at least one chain certificate were embedded.


Create PKCS12 from a self-signed certificate

Self-signed deployments use the same export after you generate CRT and KEY. Example one-year self-signed cert:

bash
openssl req -x509 -newkey rsa:2048 -noenc \
  -keyout selfsigned.key -out selfsigned.crt -days 365 \
  -subj "/CN=dev.example.test" \
  -addext "subjectAltName=DNS:dev.example.test"

openssl pkcs12 -export \
  -in selfsigned.crt \
  -inkey selfsigned.key \
  -out selfsigned.p12 \
  -passout pass:StorePass123 \
  -name devcert

Clients must still trust the self-signed certificate—PKCS12 packaging does not change trust. See Generate self-signed certificate for SAN and validity options.


Combined PEM file method (Oracle / legacy docs)

Some Oracle and enterprise guides concatenate key and certificate into one PEM, then export:

bash
cat private.key certificate.crt > combined.pem

openssl pkcs12 -export \
  -in combined.pem \
  -out keystore.p12 \
  -passout pass:StorePass123 \
  -name myAlias

Separate -in and -inkey files are clearer and less error-prone; both approaches produce a valid PKCS12 when the key and cert match.


Export password and encrypted input keys

Set the PKCS12 store password (required for most Java apps):

bash
-passout pass:YourStorePassword

When the input .key is passphrase-protected:

bash
openssl pkcs12 -export \
  -in certificate.crt \
  -inkey encrypted.key \
  -passin pass:KeyUnlockPass \
  -out keystore.p12 \
  -passout pass:StorePass123 \
  -name servercert

Use a non-empty store password—empty PKCS12 passwords break many Java JSSE configurations.


Java keytool: import and convert to JKS

Keep the keytool cheat sheet handy for -importcert, alias changes, and cacerts; this section covers PKCS12 inspection and JKS conversion after OpenSSL export.

After creating keystore.p12, inspect it:

bash
keytool -list -storetype PKCS12 -keystore keystore.p12 -storepass StorePass123

Convert PKCS12 to legacy JKS if an old app requires JKS:

bash
keytool -importkeystore \
  -srckeystore keystore.p12 \
  -srcstoretype PKCS12 \
  -srcstorepass StorePass123 \
  -destkeystore app.jks \
  -deststoretype JKS \
  -deststorepass JksPass456

Point your Java app at keystore.p12 directly when the framework supports PKCS12 (Spring Boot, modern Tomcat, etc.)—conversion to JKS is optional.


Legacy PKCS12 for older Java and JSSE

OpenSSL 3.x defaults to AES-256 + PBKDF2. Some older Java versions report keystore password was incorrect even with the right password—the MAC or encryption algorithm is incompatible.

Re-export with legacy algorithms:

bash
openssl pkcs12 -export -legacy \
  -in certificate.crt \
  -inkey private.key \
  -out keystore.p12 \
  -passout pass:StorePass123 \
  -name servercert

Oracle JSSE documentation also recommends -nomaciter -noiter for very old stacks:

bash
openssl pkcs12 -export -legacy -nomaciter -noiter \
  -in certificate.crt \
  -inkey private.key \
  -out keystore.p12 \
  -passout pass:StorePass123 \
  -name servercert

On Ubuntu 25.04, both the default and -legacy -nomaciter -noiter exports loaded in Java 17 keytool. If import fails on your JDK version, try -legacy first, then the explicit TripleDES flags in the PFX guide.


Certificate-only PKCS12 (no private key)

Import trust anchors without a private key—useful for truststores, not server TLS identity:

bash
openssl pkcs12 -export \
  -in ca.crt \
  -nokeys \
  -out trust.p12 \
  -passout pass:TrustPass123 \
  -name ca-trust

-info shows certificate bags only—no Shrouded Keybag.


Verify and extract after export

Inspect bags and algorithms:

bash
openssl pkcs12 -in keystore.p12 -passin pass:StorePass123 -info -noout

Extract PEM files on Linux:

bash
openssl pkcs12 -in keystore.p12 -passin pass:StorePass123 -nocerts -nodes -out extracted.key
openssl pkcs12 -in keystore.p12 -passin pass:StorePass123 -clcerts -nokeys -out extracted.crt

Full walkthrough: Extract private key from PFX.


Troubleshooting

Symptom Fix
No cert in -in file matches private key CRT/KEY mismatch—compare modulus MD5
keytool: keystore password was incorrect Re-export with -legacy; confirm -passout password
JSSE fails with old Oracle adapter Add -nomaciter -noiter on export
Missing chain in Java trust path Re-export with -certfile chain.pem
unable to load private key Add -passin for encrypted input key
Empty password rejected Use -passout pass:NonEmptyPassword

References


Summary

Create PKCS12 from CRT and KEY with openssl pkcs12 -export -in cert.crt -inkey private.key -out keystore.p12 -passout pass:PASSWORD -name alias. PKCS12, PKCS#12, .p12, and .pfx name the same bundle format. Add -certfile chain.pem for intermediates, -passin when the input key is encrypted, and -legacy (or -nomaciter -noiter) when Java keytool rejects OpenSSL 3 defaults. Self-signed certificates export the same way as CA-signed certs. Verify with openssl pkcs12 -info and keytool -list. To split the keystore back into PEM files, use Extract private key from PFX; for IIS-specific import notes, see Create PFX from CRT and KEY.

Frequently Asked Questions

1. What is the OpenSSL command to create PKCS12 from CRT and KEY?

Run openssl pkcs12 -export -in cert.crt -inkey private.key -out keystore.p12 -passout pass:STORE_PASSWORD -name myalias. PKCS12 and PFX are the same format; .p12 is the usual extension for Java keystores.

2. Is PKCS12 the same as PFX?

Yes. Both refer to PKCS#12. Windows and IIS often use the .pfx extension; Java, Oracle, and IBM documentation usually say PKCS12 or .p12. The OpenSSL command is identical: pkcs12 -export.

3. How do I create PKCS12 for Java keytool?

Export with openssl pkcs12 -export -in cert.crt -inkey key.pem -out store.p12 -name servercert -passout pass:SECRET. If keytool reports keystore password was incorrect on OpenSSL 3.x, re-export with -legacy or -nomaciter -noiter for older JSSE stacks.

4. Can I create PKCS12 from a self-signed certificate?

Yes. Self-signed CRT and KEY work the same as CA-signed files as long as they match. Use openssl req -x509 to create both, then pkcs12 -export. Clients still must trust the self-signed cert separately.

5. How do I include intermediate CAs in PKCS12?

Add -certfile chain.pem where chain.pem lists intermediate and optional root certificates. The leaf certificate stays in -in; the chain file is appended as additional certificate bags inside the .p12.

6. Can I create PKCS12 with only a certificate and no private key?

Yes with -nokeys: openssl pkcs12 -export -in cert.crt -nokeys -out trust.p12 -passout pass:SECRET. That builds a trust-only bundle without a private key entry—useful for importing CA certs, not for TLS server identity.
Deepak Prasad

R&D Engineer

Founder of GoLinuxCloud with more than 15 years of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive …