OpenSsl: how to create PFX/P12 without including CA files?

0
votes

I have a trusted certificate chain, a certificate issued by this chain and private key file for this certificate.

I want to create a P12 / PFX for this, so I can put it as client certificate in the windows store:

OpenSsl Pkcs12 -export -nokeys
               -certfile mytrustedCertifcates.pem^
               -inkey myPrivateKey.Key^
               -in myCertificate.crt^
               -out myCertificate.P12

Alas, the resulting file contains all trustedCertificates. If I import the P12 in my windows certificate store, I import the complete certificate chain, although they are already in the certificate store.

I also tried options: (from OpenSsl command line utilities, also in -help)

  • -nocerts don't output certificates.
  • -clcerts only output client certificates.

Alas, the P12 still contains the complete certificate chain, and importing the P12 imports the complete chain again.

1
sslopensslssl-certificatep12
Presumably just remove the -certfile mytrustedCertificates.pem altogether... -in is the cert that matches -inkey, if you don't want anything else... just don't provide it?bartonjs
BartonJs: So simple! Because in most other commands I used I had to include the certificate authorities. Apparently that is not needed for a P12 / PFXHarald Coppoolse

1 Answers

0
votes

BartonJs gave the answer in a comment (thank you BartonJs!):

leave out the --certfile parameter:

OpenSsl Pkcs12 -export -nokeys
               -name some friendly name
               -inkey myPrivateKey.Key^
               -in myCertificate.crt^
               -out myCertificate.P12
  • nokeys: leaves out the PEM password
  • name: the friendly name that will appear in column friendly name of the winstore
  • inkey and in are the input certficate with its private key
  • out is the name of the file to produce.

After importing it in the windstore (command: certlm.msc), It propertly says:

  • Issued to:
  • Issued by:
  • Expiration date
  • Intended purposes
  • Friendly name: