Knowledge Search


[SRX] Adding a P12/PKCS12 format certificate with Private Keys to an SRX device

  [KB33506] Show Article Properties


In certain scenarios, a third-party Certificate Authority (CA) provides a P12/PKCS12 format certificate to be added as a local certificate on SRX devices, which is generally a wildcard certificate. A PKCS12 format certificate contains a Certificate as well as Private Keys, which are not generated on the SRX device and which are encrypted with a passphrase.

However, SRX devices do not support adding a PKCS12 format certificate directly; only certificates in Privacy Enhanced Mail (PEM) format can be added.

This article provides the steps to convert the PKCS12 format certificate into PEM and then add it to the SRX device.



To add a P12/PKCS12 certificate to an SRX device, the certificate must first be converted into PEM format. This can be done on a Linux device by using OpenSSL, which allows extraction of the Private Key (protected with a passphrase) and the certificate in PEM format from the PKCS12 format certificate.

To convert a P12/PKCS12 certificate into PEM format, perform the following steps:

  1. Copy the P12 format file in a directory, for example, test-prod-cert.p12, which is protected with the passphrase jtact123.
lnx01:~$ ls
  1. Run the following command to extract the Private Key in PEM format:

​lnx01:~$ openssl pkcs12 -in test-prod-cert.p12 -nocerts -out test-prod-cert-privatekey.pem
Enter Import Password: <<< You are prompted to enter the p12 passphrase (jtac123).
MAC verified OK                
Enter PEM pass phrase: <<< You are prompted twice to create a new passphrase for the PEM keys.
Verifying - Enter PEM pass phrase:
  1. The PEM Private Key is then created:

lnx01:~$ ls   
test-prod-cert.p12 *test-prod-cert-privatekey.pem
  1. Similarly, the Certificate can be extracted from the P12 file:

lnx01:~$ openssl pkcs12 -in test-prod-cert.p12 -clcerts -nokeys -out test-prod-cert.pem
Enter Import Password: <<< You are prompted to enter the p12 passphrase (jtac123).
MAC verified OK

lnx01:~$ ls
test-prod-cert.p12 *test-prod-cert.pem test-prod-cert-privatekey.pem
  1. Verify that the Certificate and Private Key are extracted by using the cat command:

lnx01:~$ cat test-prod-cert.pem

lnx01:~$ cat test-prod-cert-privatekey.pem 

  1. The two files can now be uploaded to the SRX device and the certificate can be installed by using the following command:

request security pki local-certificate load certificate-id test_prod filename /var/tmp/test-prod-cert.pem key /var/tmp/test-prod-cert-privatekey.pem passphrase xxxxxxxxx

Note: The above passphrase is the new one that was added when PEM key file was being created.


Related Links: