Excerpt
`pkcs12` is a command-line program used to perform operations on PKCS #12 and PKCS #10 files.

The program is located in the <install_root>/tools directory relative to where Nexus Smart ID Certificate Manager (CM) is installed. The available set of commands with their supported options and arguments are detailed below the example section.

Generate a PKCS10 request

Expand

title	Syntax

This is the syntax for "Generate a PKCS10 request"

Code Block
pkcs12 <pkcs12-file> <password> [-friendlyname <name>] [-localkeyid <id>] [-bc] [-provider {<name>\|<classname>}] -certrequest <subject-dn> [-signalgorithm <signAlgId>]

Expand

title	Options and arguments

These are the options and arguments for "Generate a PKCS10 request":

Options and arguments	Description
<pkcs12-file>	The required path and file name of the P12 file to read from or write to.
<password>	The required password for the PKCS12 soft token.
-certrequest <subject-dn>	The required designated name of the subject in the PKCS10 Request.
-friendlyname <name>	The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the `localkeyid` flag must be used.
-localkeyid <id>	The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the `friendlyname` flag must be used.
-signalgorithm <signAlgId>	The optional signature algorithm to use, for example, SHA384withECDSA or SHA256withRSAandMGF1. The default algorithm is SHA256withDSA, ECDSA, -RSA.
-bc	The optional flag signalling usage of Bouncy Castle as the JCE provider.
-provider {<name>\|<classname>}	The optional name or classname of the JCE provider to use.

Expand

title	Examples

Generate a PKCS10 request using a PKCS12 file:

Code Block
pkcs12 example.p12 password -bc -certrequest "O=Nexus,CN=My Name" -friendlyname name

Add a key pair to a PKCS12 soft token

Expand

title	Syntax

This is the syntax for "Add a key pair to a PKCS12 soft token"

Code Block

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-bc] [-provider {<name>|<classname>}]
{-ec [-curve <ec-curve>] | {-dsa | -rsa} [-keylength <length>]}
[-keyalgorithm <keyAlgId>] [-signalgorithm <signAlgId>]

Expand

title	Options and arguments

These are the options and arguments for "Add a key pair to a PKCS12 soft token":

Options and arguments	Description
<pkcs12-file>	The required path and file name of the P12 file to read from or write to.
<password>	The optional password for the PKCS12 soft token.
-friendlyname <name>	The optional friendly name for the new key pair stored in the PKCS12 soft token.
-localkeyid <id>	The optional local key id for the new key pair stored in the PKCS12 soft token. If left unset a random id is generated.
-encryptalgorithm {aes128\| aes192\|aes256\|des3}	The optional encryption-algorithm to use. Choose one of `aes128`, `aes192`, `aes256` or `des3` (default).
-iterations <amount>	The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-bc	The optional flag signalling usage of Bouncy Castle as the JCE provider.
-provider {<name>\|<classname>}	The optional name or classname of the JCE provider to use.
-ec	Generates a new EC (elliptic curve) key pair.
-curve <ec-curve>	The optional curve to use for the new EC (elliptic curve) key pair, default is secp256r1.
-dsa	Generates a new DSA key pair.
-rsa	Generates a new RSA key pair.
-keylength <length>	The optional length of the RSA/DSA key pair to be generated, default is 2048 bits for RSA and 1024 bits for DSA.
-keyalgorithm <keyAlgID>	The optional key algorithm to use.
-signalgorithm <SignAlgId>	The optional signature algorithm to use.

Expand

title	Examples

Generate an RSA key pair and store in a PKCS12 file:

Code Block
pkcs12 example.p12 password -bc -rsa

Generate an EC key pair and store in a PKCS12 file:

Code Block
pkcs12 example.p12 password -bc -ec

Add a certificate to a PKCS12 soft token

Expand

title	Syntax

This is the syntax for "Add a certificate to a PKCS12 soft token":

Code Block

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-bc] [-provider {<name>|<classname>}] -updatecert <cert-file>

Expand

title	Options and arguments

These are the options and arguments for "Add a certificate to a PKCS12 soft token":

Options and arguments	Description
<pkcs12-file>	The required path and file name of the P12 file to read from or write to.
<password>	The optional password for the PKCS12 soft token.
-friendlyname <name>	The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the `localkeyid` flag must be used.
-localkeyid <id>	The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the `friendlyname` flag must be used.
-encryptalgorithm {aes128\| aes192\|aes256\|des3}	The optional encryption-algorithm to use.Choose one of `aes128`, `aes192`, `aes256` or `des3` (default).
-iterations <amount>	The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-bc	The optional flag signalling usage of Bouncy Castle as the JCE provider.
-provider {<name>\|<classname>}	The optional name or classname of the JCE provider to use.
-updatecert <cert-file>	The required name of the certificate file to add to the PKCS12 soft token.

Expand

title	Examples

Add a certificate to a PKCS12 file:

Code Block
pkcs12 example.p12 password -updatecert certificate.cer -friendlyname name

Remove a key pair from a PKCS12 soft token

Expand

title	Syntax

This is the syntax for "Remove a key pair from a PKCS12 soft token":

Code Block
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>] [-encryptalgorithm {aes128\|aes192\|aes256\|des3}] [-iterations <amount>] [-bc] [-provider {<name>\|<classname>}] -remove

Expand

title	Options and arguments

These are the options and arguments for "Remove a key pair from a PKCS12 soft token":

Options and arguments	Description
<pkcs12-file>	The required path and file name of the P12 file to read from or write to.
<password>	The optional password for the PKCS12 soft token.
-friendlyname <name>	The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the `localkeyid` flag must be used.
-localkeyid <id>	The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the `friendlyname` flag must be used.
-encryptalgorithm {aes128\| aes192\|aes256\|des3}	The optional encryption-algorithm to use. Choose one of `aes128`, `aes192`, `aes256` or `des3` (default).
-iterations <amount>	The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-bc	The optional flag signalling usage of Bouncy Castle as the JCE provider.
-provider {<name>\|<classname>}	The optional name or classname of the JCE provider to use.
-remove	The required flag signalling that the designated key pair should be removed from the PKCS12 soft token.

Expand

title	Examples

Remove a key pair from a PKCS12 file:

Code Block
pkcs12 example.p12 password -remove -friendlyname name

Export or view the contents of a PKCS12 soft token

Expand

title	Syntax

This is the syntax for "Export or view the contents of a PKCS12 soft token":

Code Block
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>] [-bc] [-provider {<name>\|<classname>}] [-all] [-out <bag-filename-prefix>]

Expand

title	Options and arguments

These are the options and arguments for "Export or view the contents of a PKCS12 soft token":

Options and arguments	Description
<pkcs12-file>	The required path and file name of the P12 file to read from or write to.
<password>	The optional password for the PKCS12 soft token.
-friendlyname <name>	The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the `localkeyid` flag must be used.
-localkeyid <id>	The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the `friendlyname` flag must be used.
-bc	The optional flag signalling usage of Bouncy Castle as the JCE provider.
-provider {<name>\|<classname>}	The optional name or classname of the JCE provider to use.
-all	The optional flag signalling that everything in the stored certificate should be printed.
-out <bag-filename-prefix>	The optional flag signalling that everything in the stored PKCS12 soft token should be exported with the given prefix.

Expand

title	Examples

Detail the contents of a PKCS12 file:

Code Block
pkcs12 example.p12 password -all

Extract the contents of a PKCS12 file:

Code Block
pkcs12 example.p12 password -out example

This article is valid from CM for Certificate Manager 8.1 and later.

Related information

Smart ID Certificate Manager

Versions Compared

Old Version 2

New Version 3

Key

Generate a PKCS10 request

Add a key pair to a PKCS12 soft token

Add a certificate to a PKCS12 soft token

Remove a key pair from a PKCS12 soft token

Export or view the contents of a PKCS12 soft token

Related information

Page Comparison

Versions Compared

Old Version 2

New Version 3

Key

Generate a PKCS10 request

Add a key pair to a PKCS12 soft token

Add a certificate to a PKCS12 soft token

Remove a key pair from a PKCS12 soft token

Export or view the contents of a PKCS12 soft token

Related information