Excerpt
`pkcs12` is a command-line program used to perform operations on PKCS #12 and PKCS #10 files.

The program is located in the <install_root>/tools directory relative to where Smart ID Certificate Manager (CM) is installed. The available set of commands with their supported options and arguments are detailed below the example section.

Generate a PKCS10 request

Expand

title	Syntax

This is the syntax for "Generate a PKCS10 request"

Code Block
pkcs12 <pkcs12-file> <password> [-friendlyname <name>] [-localkeyid <id>] [-bc] [-provider {<name>\|<classname>}] -certrequest <subject-dn> [-signalgorithm <signAlgId>]

Expand

title	Options and arguments

These are the options and arguments for "Generate a PKCS10 request":

Options and arguments	Description
<pkcs12-file>	The required path and file name of the P12 file to read from or write to.
<password>	The required password for the PKCS12 soft token.
-certrequest <subject-dn>	The required designated name of the subject in the PKCS10 Request.
-friendlyname <name>	The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the `localkeyid` flag must be used.
-localkeyid <id>	The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the `friendlyname` flag must be used.
-signalgorithm <signAlgId>	The optional signature algorithm to use, for example, SHA384withECDSA or SHA256withRSAandMGF1. The default algorithm is SHA256withDSA, ECDSA, -RSA.
-bc	The optional flag signalling usage of Bouncy Castle as the JCE provider.	-provider {<name>\|<classname>}	The optional name or classname of the JCE provider to use.

Expand

title	Examples

Generate a PKCS10 request using a PKCS12 file:

Code Block
pkcs12 example.p12 password -bc -certrequest "O=Nexus,CN=My Name" -friendlyname name

Add a key pair to a PKCS12 soft token

Expand

title	Syntax

This is the syntax for "Add a key pair to a PKCS12 soft token"

Code Block

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-bc] [-provider {<name>|<classname>}]
{-ec [-curve <ec-curve>] | {-dsa | -rsa} [-keylength <length>]}
[-keyalgorithm <keyAlgId>] [-signalgorithm <signAlgId>]

Expand

title	Options and arguments

These are the options and arguments for "Add a key pair to a PKCS12 soft token":

Options and arguments	Description
<pkcs12-file>	The required path and file name of the P12 file to read from or write to.
<password>	The optional password for the PKCS12 soft token.
-friendlyname <name>	The optional friendly name for the new key pair stored in the PKCS12 soft token.
-localkeyid <id>	The optional local key id for the new key pair stored in the PKCS12 soft token. If left unset a random id is generated.
-encryptalgorithm {aes128\| aes192\|aes256\|des3}	The optional encryption-algorithm to use. Choose one of `aes128`, `aes192`, `aes256` or `des3` (default).
-iterations <amount>	The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-bc	The optional flag signalling usage of Bouncy Castle as the JCE provider.	-provider {<name>\|<classname>}	The optional name or classname of the JCE provider to use.
-ec	Generates a new EC (elliptic curve) key pair.
-curve <ec-curve>	The optional curve to use for the new EC (elliptic curve) key pair, default is secp256r1.
-dsa	Generates a new DSA key pair.
-rsa	Generates a new RSA key pair.
-keylength <length>	The optional length of the RSA/DSA key pair to be generated, default is 2048 bits for RSA and 1024 bits for DSA.
-keyalgorithm <keyAlgID>	The optional key algorithm to use.
-signalgorithm <SignAlgId>	The optional signature algorithm to use.

Expand

title	Examples

Generate an RSA key pair and store in a PKCS12 file:

Code Block
pkcs12 example.p12 password -bc -rsa

Generate an EC key pair and store in a PKCS12 file:

Code Block
pkcs12 example.p12 password -bc -ec

Add a certificate to a PKCS12 soft token

Expand

title	Syntax

This is the syntax for "Add a certificate to a PKCS12 soft token":

Code Block

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-bc] [-provider {<name>|<classname>}] -updatecert <cert-file>

Expand

title	Options and arguments

These are the options and arguments for "Add a certificate to a PKCS12 soft token":

Options and arguments	Description
<pkcs12-file>	The required path and file name of the P12 file to read from or write to.
<password>	The optional password for the PKCS12 soft token.
-friendlyname <name>	The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the `localkeyid` flag must be used.
-localkeyid <id>	The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the `friendlyname` flag must be used.
-encryptalgorithm {aes128\| aes192\|aes256\|des3}	The optional encryption-algorithm to use.Choose one of `aes128`, `aes192`, `aes256` or `des3` (default).
-iterations <amount>	The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-bcThe optional flag signalling usage of Bouncy Castle as the JCE provider .-provider {<name>\|<classname>}	The optional name or classname of the JCE provider to use.
-updatecert <cert-file>	The required name of the certificate file to add to the PKCS12 soft token.

Expand

title	Examples

Add a certificate to a PKCS12 file:

Code Block
pkcs12 example.p12 password -updatecert certificate.cer -friendlyname name

Remove a key pair from a PKCS12 soft token

Expand

title	Syntax

This is the syntax for "Remove a key pair from a PKCS12 soft token":

Code Block
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>] [-encryptalgorithm {aes128\|aes192\|aes256\|des3}] [-iterations <amount>] [-bc] [-provider {<name>\|<classname>}] -remove

Expand

title	Options and arguments

These are the options and arguments for "Remove a key pair from a PKCS12 soft token":

Options and arguments	Description
<pkcs12-file>	The required path and file name of the P12 file to read from or write to.
<password>	The optional password for the PKCS12 soft token.
-friendlyname <name>	The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the `localkeyid` flag must be used.
-localkeyid <id>	The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the `friendlyname` flag must be used.
-encryptalgorithm {aes128\| aes192\|aes256\|des3}	The optional encryption-algorithm to use. Choose one of `aes128`, `aes192`, `aes256` or `des3` (default).
-iterations <amount>	The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.	-bc	The optional flag signalling usage of Bouncy Castle as the JCE provider.
-provider {<name>\|<classname>}	The optional name or classname of the JCE provider to use.
-remove	The required flag signalling that the designated key pair should be removed from the PKCS12 soft token.

Expand

title	Examples

Remove a key pair from a PKCS12 file:

Code Block
pkcs12 example.p12 password -remove -friendlyname name

Export or view the contents of a PKCS12 soft token

Expand

title	Syntax

This is the syntax for "Export or view the contents of a PKCS12 soft token":

Code Block
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>] [-bc] [-provider {<name>\|<classname>}] [-all] [-out <bag-filename-prefix>]

Expand

title	Options and arguments

These are the options and arguments for "Export or view the contents of a PKCS12 soft token":

Options and arguments	Description
<pkcs12-file>	The required path and file name of the P12 file to read from or write to.
<password>	The optional password for the PKCS12 soft token.
-friendlyname <name>	The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the `localkeyid` flag must be used.
-localkeyid <id>	The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the `friendlyname` flag must be used.	-bc	The optional flag signalling usage of Bouncy Castle as the JCE provider.
-provider {<name>\|<classname>}	The optional name or classname of the JCE provider to use.
-all	The optional flag signalling that everything in the stored certificate should be printed.
-out <bag-filename-prefix>	The optional flag signalling that everything in the stored PKCS12 soft token should be exported with the given prefix.

Expand

title	Examples

Detail the contents of a PKCS12 file:

Code Block
pkcs12 example.p12 password -all

Extract the contents of a PKCS12 file:

Code Block
pkcs12 example.p12 password -out example

This article is valid for Certificate Manager 8.1 5 and later.

Related information

Smart ID Certificate Manager

Versions Compared

Old Version 3

New Version 4

Key

Generate a PKCS10 request

Add a key pair to a PKCS12 soft token

Add a certificate to a PKCS12 soft token

Remove a key pair from a PKCS12 soft token

Export or view the contents of a PKCS12 soft token

Related information

Page Comparison

Versions Compared

Old Version 3

New Version 4

Key

Generate a PKCS10 request

Add a key pair to a PKCS12 soft token

Add a certificate to a PKCS12 soft token

Remove a key pair from a PKCS12 soft token

Export or view the contents of a PKCS12 soft token

Related information