{{Short description|Archive file format storing cryptography objects|noreplace}} {{Correct title|title=PKCS #12|reason=hash}} {{Infobox file format | name = PKCS #12 | icon = | extension = <code>.p12</code>, <code>.pfx</code> | mime =application/x-pkcs12 | released = {{start date|1996}} | standard = | url = | type code = | uniform type = com.rsa.pkcs-12<ref>{{cite web |url=https://developer.apple.com/documentation/uniformtypeidentifiers/uttype/3551547-pkcs12 |title=pkcs12 |work=Apple Developer Documentation: Uniform Type Identifiers |publisher=Apple Inc | archive-url = https://web.archive.org/web/20230528160120/https://developer.apple.com/documentation/uniformtypeidentifiers/uttype/3551547-pkcs12 | archive-date = 2023-05-28 | url-status = live }}</ref> | owner = RSA Security | latest release version = PKCS #12 v1.1 | latest release date = {{Start date and age|2012|10|27|df=yes}} | genre = Archive file format | container for = X.509 public key certificates, X.509 private keys, X.509 CRLs, generic data | contained by = | extended from = Microsoft PFX file format | extended to = }}

In cryptography, '''PKCS #12''' defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.

A PKCS #12 file may be encrypted and signed. The internal storage containers, called "SafeBags", may also be encrypted and signed. A few SafeBags are predefined to store certificates, private keys and CRLs. Another SafeBag is provided to store any other data at individual implementer's choice.<ref> {{cite web | url = http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs12-personal-information-exchange-syntax-standard.htm | title = PKCS #12: Personal Information Exchange Syntax Standard | publisher = RSA Laboratories | quote = This standard specifies a portable format for storing or transporting a user's private keys, certificates, miscellaneous secrets, etc. | archive-url = https://web.archive.org/web/20170417091802/http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs12-personal-information-exchange-syntax-standard.htm | archive-date = 2017-04-17 | url-status = dead }} </ref><ref> {{cite web | url = https://ftp.gnome.org/mirror/archive/ftp.sunet.se/pub/security/docs/PCA/PKCS/ftp.rsa.com/pkcs-12/pkcs-12v1.pdf | title = PKCS 12 v1.0: Personal Information Exchange Syntax | publisher = RSA Laboratories | date = 1999-06-24 | access-date = 2020-01-16 | archive-url = https://web.archive.org/web/20200116104631/https://ftp.gnome.org/mirror/archive/ftp.sunet.se/pub/security/docs/PCA/PKCS/ftp.rsa.com/pkcs-12/pkcs-12v1.pdf | archive-date = 2020-01-16 | url-status = dead }}</ref>

PKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories.

The filename extension for PKCS #12 files is <code>.p12</code> or <code>.pfx</code>.<ref name="dotnet">{{cite web | url = https://docs.microsoft.com/en-us/previous-versions/ms867088(v=msdn.10) | title = PKCS #12 File Types: Portable Protected Keys in .NET | author = Michel I. Gallant | publisher = Microsoft Corporation | date = March 2004 | quote = All Windows operating systems define the extensions .pfx and .p12 as Personal Information Exchange, or PKCS #12, file types. | accessdate = 2013-03-14 | archive-url = https://web.archive.org/web/20230606215958/https://learn.microsoft.com/en-us/previous-versions/ms867088(v=msdn.10) | archive-date = 2023-06-06 | url-status = live }}</ref>

These files can be created, parsed and read out with the OpenSSL <code>pkcs12</code> command.<ref name="openssl">{{cite web | url = https://www.openssl.org/docs/manmaster/man1/pkcs12.html | title = openssl-cmds: pkcs12 | publisher = OpenSSL Project | quote = The pkcs12 command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed. | date = 2019 | accessdate = 2020-01-16 | archive-url = https://web.archive.org/web/20230606215953/https://www.openssl.org/docs/manmaster/man1/pkcs12.html | archive-date = 2023-06-06 | url-status = live }}</ref>

==Relationship to PFX file format== PKCS #12 is the successor to Microsoft's "PFX";<ref>{{cite web | author = Peter Gutmann | author-link = Peter Gutmann (computer scientist) | url = https://static.usenix.org/events/sec02/full_papers/gutmann/gutmann.pdf | title = Lessons Learned in Implementing and Deploying Crypto Software | publisher = The USENIX Association | date = August 2002 | quote = In 1996 Microsoft introduced a new storage format [...] called PFX (Personal Information Exchange) [...] it was later re-released in a cleaned-up form as PKCS #12 | accessdate = 2020-01-16 | archive-url = https://web.archive.org/web/20230606215956/https://static.usenix.org/events/sec02/full_papers/gutmann/gutmann.pdf | archive-date = 2023-06-06 | url-status = live }}</ref> however, the terms "PKCS #12 file" and "PFX file" are sometimes used interchangeably.<ref name="dotnet" /><ref name="openssl"/><ref name="pgut001">{{cite web | url = https://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html | title = PFX - How Not to Design a Crypto Protocol/Standard | author = Peter Gutmann | author-link = Peter Gutmann (computer scientist) | date=1998-03-12 | accessdate = 2020-01-16 | archive-url = https://web.archive.org/web/20230710231053/https://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html | archive-date = 2023-07-10 | url-status = live }}</ref>

The PFX format has been criticized for being one of the most complex cryptographic protocols.<ref name="pgut001"/>

==Normal usage==

The full PKCS&nbsp;#12 standard is very complex. It enables buckets of complex objects such as PKCS&nbsp;#8 structures, nested deeply. But in practice it is normally used to store just one private key and its associated certificate chain.{{Citation needed|date=October 2023|reason=Reliable source about “normally” storing just one private key in p12 is needed.}}

PKCS&nbsp;#12 files are usually created using OpenSSL, which only supports a single private key from the command line interface. The Java keytool can be used to create multiple "entries" since Java&nbsp;8, but that may be incompatible with many other systems.<ref>{{cite web | url = https://github.com/kaikramer/keystore-explorer/issues/35 | date = 2016-06-05 | author = Kai Kramer | title = p12 files don't show root and sub CA certificates #35 | quote = There exists a general problem when the extremely flexible PKCS#12 format is pushed into the keystore API. [...] 2.16.840.1.113894.746875.1.1: <Unsupported tag 6>}}</ref> As of Java&nbsp;9 (released 2017-09-21), PKCS&nbsp;#12 is the default keystore format.<ref>{{cite web | url = https://openjdk.java.net/jeps/229 | title = JEP 229: Create PKCS12 Keystores by Default | work = OpenJDK JEPs | publisher = Oracle Corporation | date = 2014-05-30 | archive-url = https://web.archive.org/web/20230608124943/https://openjdk.org/jeps/229 | archive-date = 2023-06-08 | url-status = live }}</ref><ref>{{cite web | url = https://bugs.openjdk.java.net/browse/JDK-8044445 | title = Bug JDK-8044445: Create PKCS12 Keystores by Default | work = JDK Bug System | first = Vincent | last = Ryan | date = 2014-05-30 | archive-url = https://web.archive.org/web/20230206213355/https://bugs.openjdk.org/browse/JDK-8044445 | archive-date = 2023-02-06 | url-status = live }}</ref>

A simpler, alternative format to PKCS&nbsp;#12 is PEM which just lists the certificates and possibly private keys as Base&nbsp;64 strings in a text file.

GnuTLS's ''certtool'' may also be used to create PKCS&nbsp;#12 files including certificates, keys, and CA certificates via '''--to-p12'''. However, beware that for interchangeability with other software, if the sources are in PEM Base64 text, then '''--outder''' should also be used.

==References== {{Reflist}}

==External links== * {{IETF RFC|7292}} - PKCS #12: Personal Information Exchange Syntax v1.1 * {{cite web | url = http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs12-personal-information-exchange-syntax-standard.htm | title = PKCS #12: Personal Information Exchange Syntax Standard | publisher = RSA Laboratories | quote = This standard specifies a portable format for storing or transporting a user's private keys, certificates, miscellaneous secrets, etc. | archive-url = https://web.archive.org/web/20170417091802/http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs12-personal-information-exchange-syntax-standard.htm | archive-date = 2017-04-17 | url-status = dead }}

* Overview about PKCS#12 capabilities, usage, implementations, history and future: {{cite web | url = https://unmitigatedrisk.com/?p=543 | title = The PKCS#12 standard needs another update | author = Ryan Hurst and Yury Strozhevsky | date = 2015-12-02 | archive-url = https://archive.today/20170303104212/https://unmitigatedrisk.com/?p=543 | archive-date = 2017-03-03 | url-status = live }}

{{PKCS navbox}} {{Cryptography navbox}}

{{DEFAULTSORT:Pkcs12}} Category:Cryptography standards