Exporting a certificate in PKCS12 format from firefox

I have imported a certificate into firefox, and I want to export it into PKCS12 format. The only options that I find are PKCS7 , PEM and DIR. and not PKCS12. I doubt that the certificate has no private key, so is there a way to check that?

EDIT My problem was in the Chrome browser, which I used when I requested the certificate. It seems that it has a problem with storing the private key. I repeated the request with Firefox and things went fine.


Solution 1:

You can view Certificate contents in Firefox
(Tools -> Options -> Advanced -> Encryption -> View Certs -> Yours/Authority/etc -> <cert> -> View -> Details -> Certificate Fields -> Public Key)

If you can export to PEM, you can convert that to PKCS12

# export mycert.pem as PKCS#12 file, mycert.pfx
openssl pkcs12 -export \
  -out mycert.pfx -in mycert.pem \
  -name "My Certificate"

Update: Examples of using OpenSSL

Generate a self-signed certificate

  $ openssl req \
  >   -x509 -nodes -days 365 \
  >   -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

View it's contents

  $ openssl x509 -in mycert.pem -noout -text

View the PEM file

  $ cat mycert.pem
  -----BEGIN RSA PRIVATE KEY-----
  MIICXAIBAAKBgQDa6JQOLkwoIGhTvcTSYX68Ddaq4hGk/61RSVELaVFJTNQYPB86
  …
  aPj0KoeFJ04/sLcZNZwGcC93rNA66xTICLtGbBXlM1U=
  -----END RSA PRIVATE KEY-----
  -----BEGIN CERTIFICATE-----
  MIICxTCCAi6gAwIBAgIJAOaxxgLFlypwMA0GCSqGSIb3DQEBBQUAMEwxCzAJBgNV
  …
  tz0TMEYxbGIscZbxeJxoK6pe5tOwXtdjStlcITzksdPV5rLp84aeJl4=
  -----END CERTIFICATE-----

Note that whilst a PEM file can contain both private key and a certificate, the private key isn't part of the X.509 certificate.

If the PEM exported by FF lacks the BEGIN and END markers around the Base64 encoded data, OpenSSL can't read the PEM file.

Here's CA certificate I exported from Firefox (*viewed in e.g. notepad)

-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
…
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----

(ellipsis … where data omitted for brevity)

I can view that OK using openssl x509 -in ff.crt -noout -text (I cut & pasted from Windows to Linux but you can install openssl on Windows too)

Solution 2:

That is because you do not have the corresponding private key to that certificate.

In cryptography, PKCS #12 is a bundled key format which is commonly used to store the private key with its X.509 certificate together. See more info on Wikipedia here.

You can only export certificates in PKCS #12 format if you have the private key that belongs to it in your browser. This must be on the same computer and the same browser which you used to generate the key signing certificate. See CaCert's Knowledge base article for a clearer explanation:

" Your keys are contained in something called the key "store". You may export public/private keypairs from your store to a file, and optionally (but highly recommended!) secure them with a passphrase. This is typically done by going into the "Manage Certificates" section of your browser (i.e., Firefox), and then performing a "Backup" of your key. This will create a file with with a .P12 or .PFX suffix.

"