bookmark_borderHow to convert/split p12 certificates into single files

So, you got a brand new personal certificate via a authorized issuer and all you got is a single file which has a ending of .p12? You want to use this certificate in various software solutions, but these solutions want single files for the user certificate and the private key? Then you have to split your .p12 file.

What is a .p12 file?

A .p12 file is a bundle which contains your private key as well as your private certificate. For a lot of certificate issuers, distributing these two things in a bundle is obviously easier.
Even if there is a lot of software which supports working with those bundles, there are others which don’t. The most prominent example I know is Network Manager under Linux. If you want to use a .p12 file with the Network Manger OpenVPN extension, you have to split up the .p12 file in it’s single parts. To split p12 certificates into single files will end up in having two files: Your user certificate and key.

Which software is needed?

Under Linux you need to have OpenSSL ready. OpenSSL is installed by default on every Linux based machine nowadays. But just to be sure, we will install OpenSSL again for this tutorial. For Debian, Linux Mint and Ubuntu simply enter the following command:

user@systen:~$ sudo apt-get update && sudo apt-get install openssl

Windows user have to downloaded the OpenSSL tools on their official homepage which can be found here: OpenSSL Windows Binaries

How to split a .p12 file?

Firstly, you have to navigate into the directory were your SSL file is actually stored. You can do this with the command cd. In this example we assume, that the p12 certificate file is stored in the directory ssl:
user@system:~$ cd ssl
Now that you are in the correct directory, you can extract the user key with the following command:

user@system:~/ssl$ openssl pkcs12 -nocerts -in your_file.p12 -out user_key.pem

The user certificate can be exported like this:

user@system:~/ssl$ openssl pkcs12 -nokeys -clcerts -in your_file.p12 -out user_cert.pem

During these two steps you might get asked for a password of the actual .p12 file and for a password for the new exported files. It’s up to you if you want to protect the new exported single files with a password. However, it is recommended of course. You can also do the two commands above within one statement like this (if you want):

user@system:~/ssl$ openssl pkcs12 -nocerts -in your_file.p12 -out user_key.pem && openssl pkcs12 -nokeys -clcerts -in your_file.p12 -out user_cert.pem

Further links

bookmark_borderPost Script for OpenVPN clients

OpenVPN Logo
Image source: openvpn.net
Did you ever wanted to automatically do something after you OpenVPN client has successful connected to your OpenVPN server? To do so you can just add 2 simple lines to your client OpenVPN file:

script-security 2
up postscript.sh

This 2 lines above are doing the following:

  • script-security 2: Allows the calling of built-in executables (ip, route, ifconfig, …) and user-defined scripts (see next line). A script-security of 1 would mean that only built-in executables are allowed to be called.
  • up postscript.sh: This line defines the script which should be started after the client successfully connected to the server. In this case the script is called postscript.sh. If you don’t define the total path to the script here, the script has to be in the same directory as the OpenVPN client configuration.

And that’s it. After you are connected to your OpenVPN Server the given script will be fired up. Don’t forget to make the script executable for course.
For e.g. I use this to create a route on specific clients after they connected to the OpenVPN server. Of course you can do whatever you want inside the script.