Filename extension .p12, .pfx Developed by RSA Security Type of format Archive file format | Uniform Type Identifier (UTI) 0 Initial release 1996 (1996) | |
Latest release PKCS #12 v1.1
(27 October 2012; 4 years ago (2012-10-27)) | ||
In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.
Contents
A PKCS #12 file may be encrypted and signed. The internal storage containers, called "SafeBags", may also be encrypted and signed. A few SafeBags are predefined to store certificates, private keys and CRLs. Another SafeBag is provided to store any other data at individual implementer's choice.
PKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories.
The filename extension for PKCS #12 files is ".p12" or ".pfx".
These files can be created, parsed and read out with the OpenSSL pkcs12 command.
Relationship to PFX file format
PKCS #12 is the successor to Microsoft's "PFX", however, the terms "PKCS #12 file" and "PFX file" are sometimes used interchangeably.
Microsoft's "PFX" has received heavy criticism of being one of the most complex cryptographic protocols.
Normal usage
The full PKCS #12 standard is very complex. It enables buckets of complex objects such as PKCS #8 structures, nested deeply. But in practice it is normally used to store just one private key and its associated certificate chain.
PKCS #12 files are usually created using OpenSSL, which only support a single private key from the command line interface. The Java keytool can be used to create multiple "entries" since Java 8, but that may be incompatible with many other systems. The upcoming version of KMIP will also be able to create PKCS #12 files directly.
A simpler, alternative format to PKCS #12 is PEM which just lists the certificates and possibly private keys as Base 64 strings in a text file.
GnuTLS's certtool may also be used to create PKCS #12 files including certificates, keys, and CA certificates via --to-pk12. However, beware that for interchangeability with other software, if the sources are in PEM Base64 text, then --outder should also be used.