PKCS#12


PKCS#12 is a secure container mainly used to store and transfer private key and certificates. It could be PKCS#12 format when the terminology is used that the keys are stored in software. PKCS#12, PFX and P12 words are used interchangeably to refer the PKCS#12 based secure container.

There are two modes that are used to secure the contents of PKCS#12 :

Password based integrity and privacy mode

In this mode, privacy is achieved by deriving a secret key from the password. This secret key is then used to encrypt the private key and certificates in the PKCS#12. The integrity is also achieved by deriving a secret key from the password which later is used to compute the HMAC over the PKCS#12. The passwords for maintaining both privacy and integrity could be same or different. The common practice is to use the same password. Different tools and software development kits do not provide an option to use different passwords for achieving both privacy and integrity. This mode is commonly used to secure the cryptographic objects in PKCS#12.

Public key based integrity and privacy mode

In this mode, integrity is achieved by creating a PKCS#7 SignedData structure while privacy is achieved using the PKCS#7 EnvelopedData structure. This is less commonly used mode.

Structure

The structure of the PKCS#12 in ASN.1 format is shown below. You must be capable of reading the ASN.1 in order to fully understand the below PKCS#12 structure. In the below ASN.1 structure of PKCS#12, password based integrity and privacy mode is used.



1) specifies that the password based privacy mode is used. 2) specifies that the private key is encrypted by following the PKCS#8 standard. Also the private key is encrypted using the secret key derived from the password. The password based encryption (PBE) algorithm is also mentioned. 3) specifies the encrypted private key object. 4) specifies the unique identifier (alias) assigned to this private key. The same identifier (alias) would be assigned to the corresponding certificates. These same aliases actually create a linkage between a private key and the corresponding certificates in the PKCS#12 container. 5) specifies the encrypted certificate objects. These certificate objects are also encrypted using the password based encryption (PBE) algorithm. 6) specifies that the password based integrity mode is used. Here again, the secret key is derived from the password and then used to compute HMAC over the PKCS#12.

The PKCS#12 standard also allows to store multiple private keys in a single PKCS#12 container but again, it is a less commonly used stuff.