So, you got a brand new personal certificate via a authorized issuer and all you got is a single file which has a ending of .p12? You want to use this certificate in various software solutions, but these solutions want single files for the user certificate and the private key? Then you have to split your .p12 file.

What is a .p12 file?

A .p12 file is a bundle which contains your private key as well as your private certificate. For a lot of certificate issuers, distributing these two things in a bundle is obviously easier.

Even if there is a lot of software which supports working with those bundles, there are others which don’t. The most prominent example I know is Network Manager under Linux. If you want to use a .p12 file with the Network Manger OpenVPN extension, you have to split up the .p12 file in it’s single parts. To split p12 certificates into single files will end up in having two files: Your user certificate and key.

Which software is needed?

Under Linux you need to have OpenSSL ready. OpenSSL is installed by default on every Linux based machine nowadays. But just to be sure, we will install OpenSSL again for this tutorial. For Debian, Linux Mint and Ubuntu simply enter the following command:

user@systen:~$ sudo apt-get update && sudo apt-get install openssl

Windows user have to downloaded the OpenSSL tools on their official homepage which can be found here: OpenSSL Windows Binaries

How to split a .p12 file?

Firstly, you have to navigate into the directory were your SSL file is actually stored. You can do this with the command cd. In this example we assume, that the p12 certificate file is stored in the directory ssl:

user@system:~$ cd ssl

Now that you are in the correct directory, you can extract the user key with the following command:

user@system:~/ssl$ openssl pkcs12 -nocerts -in your_file.p12 -out user_key.pem

The user certificate can be exported like this:

user@system:~/ssl$ openssl pkcs12 -nokeys -clcerts -in your_file.p12 -out user_cert.pem

During these two steps you might get asked for a password of the actual .p12 file and for a password for the new exported files. It’s up to you if you want to protect the new exported single files with a password. However, it is recommended of course. You can also do the two commands above within one statement like this (if you want):

user@system:~/ssl$ openssl pkcs12 -nocerts -in your_file.p12 -out user_key.pem && openssl pkcs12 -nokeys -clcerts -in your_file.p12 -out user_cert.pem

Further links