The TNSR CLI can generate PKCS#12 archive files which contain a certificate, its private key, and optionally the CA which signed the certificate.
These password-protected archives make importing the certificates to a client system easier in certain cases, such as for use with RESTCONF or the TNSR GUI (TNSR GUI Service with Client Certificate Authentication). Some software only supports importing certificates from PKCS#12 archives rather than separate PEM files for each component.
Generating a PKCS#12 Archive¶
PKCS#12 archives are generated by the
pki pkcs12 command in the TNSR CLI.
When TNSR generates a PKCS#12 archive file it is stored in
/etc/pki/tls/tnsr/certs/ and a copy is placed in the home directory of the
current CLI user.
The general form of the
pki pkcs12 <certname> generate command is as
tnsr# pki pkcs12 <certname> generate export-password <password> [ca-name <caname>] [key-pbe-algorithm <pbe-algo>] [certificate-pbe-algorithm <pbe-algo>] [mac-algorithm <mac-algo>] [verbose]
The optional parameters for the command must be given in the order listed!
The name of the existing certificate entry.
- export-password <password>
The password used to protect the contents of the archive. Clients will need this password to import or read the contents.
This must be at least
8characters in length but no more than
- ca-name <caname>
The name of the existing certificate authority entry which signed the certificate. This is optional. If omitted, the PKCS#12 archive will only contain the client certificate and its private key, not the CA.
- key-pbe-algorithm <pbe-algo>
The password-based encryption algorithm with which to encrypt the private key. This is optional and defaults to
- certificate-pbe-algorithm <pbe-algo>
The password-based encryption algorithm with which to encrypt the certificate. This is optional and defaults to
- mac-algorithm <mac-algo>
The message authentication code (hash) used for integrity protection. This is optional and defaults to
An optional parameter that, when present, in addition to writing the archive file copies the command will print a BASE-64 encoded string containing the PKCS#12 archive data.
After entering the command, the entry is stored in the TNSR filesystem. To generate a different PKCS#12 archive, for example to use different encryption, first delete the existing entry (Deleting a PKCS#12 Archive).
The PKCS#12 archive export command supports multiple algorithms with which to encrypt and hash the contents of the archive. Support for algorithms varies by operating system, so certain uses may require different encryption or hashing options.
To see a list of available algorithms for each selection, use
? to see the
tnsr# pki pkcs12 mycert generate export-password abc12345 key-pbe-algorithm ? AES-256-CBC PBE with 256 bit AES-CBC PBE-SHA1-3DES PBE with SHA1 and 3DES
tnsr# pki pkcs12 mycert generate export-password abc12345 certificate-pbe-algorithm ? AES-256-CBC PBE with 256 bit AES-CBC PBE-SHA1-3DES PBE with SHA1 and 3DES
tnsr# pki pkcs12 mycert generate export-password abc12345 mac-algorithm ? sha1 SHA1 sha256 SHA256
To make a PKCS#12 which can be used by a Linux, Windows, FreeBSD, or other modern clients, use a high level of encryption (AES-256 and SHA256):
Example (all on one line):
tnsr# pki pkcs12 mycert generate export-password abc12345 ca-name tnsrca key-pbe-algorithm AES-256-CBC certificate-pbe-algorithm AES-256-CBC mac-algorithm sha256
macOS clients do not currently support high level encryption on PKCS#12 archive files, so an archive for those clients needs different, weaker, algorithms (3DES and SHA1):
Example (all on one line):
tnsr# pki pkcs12 mycert generate export-password abc12345 ca-name tnsrca key-pbe-algorithm PBE-SHA1-3DES certificate-pbe-algorithm PBE-SHA1-3DES mac-algorithm sha1
Listing PKCS#12 Archives¶
To view a list of PKCS#12 archives present on TNSR:
tnsr# pki pkcs12 list mycert
Copying PKCS#12 Archives¶
The TNSR CLI user likely does not have sufficient access to read the files from
/etc/pki/tls/tnsr/certs/ directly, so to make a fresh copy of a PKCS#12
/etc/pki/tls/tnsr/certs/ to the home directory of the CLI user,
tnsr# pki pkcs12 <certname> get
This also enables a different TNSR CLI user to obtain a previously generated PKCS#12 archive.
This command supports a
verbose parameter which works identically to the
same parameter in the
Deleting a PKCS#12 Archive¶
To remove a PKCS#12 archive entry, for example to replace it with a new archive
with different encryption options, use the
tnsr# pki pkcs12 <certname> delete
This removes the PKCS#12 archive file from
does not remove the copies of the file placed in the home directory of
the CLI user which generated the archives.