Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Adding a P12/PKCS12 format certificate with Private Keys to an SRX device



Article ID: KB33506 KB Last Updated: 25 Dec 2018Version: 1.0

In certain scenarios, a third-party Certificate Authority (CA) provides a P12/PKCS12 format certificate to be added as a local certificate on SRX devices, which is generally a wildcard certificate. A PKCS12 format certificate contains a Certificate as well as Private Keys, which are not generated on the SRX device and which are encrypted with a passphrase.

However, SRX devices do not support adding a PKCS12 format certificate directly; only certificates in Privacy Enhanced Mail (PEM) format can be added.

This article provides the steps to convert the PKCS12 format certificate into PEM and then add it to the SRX device.



To add a P12/PKCS12 certificate to an SRX device, the certificate must first be converted into PEM format. This can be done on a Linux device by using OpenSSL, which allows extraction of the Private Key (protected with a passphrase) and the certificate in PEM format from the PKCS12 format certificate.

To convert a P12/PKCS12 certificate into PEM format, perform the following steps:

  1. Copy the P12 format file in a directory, for example, test-prod-cert.p12, which is protected with the passphrase jtact123.
lnx01:~$ ls
  1. Run the following command to extract the Private Key in PEM format:

​lnx01:~$ openssl pkcs12 -in test-prod-cert.p12 -nocerts -out test-prod-cert-privatekey.pem
Enter Import Password: <<< You are prompted to enter the p12 passphrase (jtac123).
MAC verified OK                
Enter PEM pass phrase: <<< You are prompted twice to create a new passphrase for the PEM keys.
Verifying - Enter PEM pass phrase:
  1. The PEM Private Key is then created:

lnx01:~$ ls   
test-prod-cert.p12 *test-prod-cert-privatekey.pem
  1. Similarly, the Certificate can be extracted from the P12 file:

lnx01:~$ openssl pkcs12 -in test-prod-cert.p12 -clcerts -nokeys -out test-prod-cert.pem
Enter Import Password: <<< You are prompted to enter the p12 passphrase (jtac123).
MAC verified OK

lnx01:~$ ls
test-prod-cert.p12 *test-prod-cert.pem test-prod-cert-privatekey.pem
  1. Verify that the Certificate and Private Key are extracted by using the cat command:

lnx01:~$ cat test-prod-cert.pem

lnx01:~$ cat test-prod-cert-privatekey.pem 

  1. The two files can now be uploaded to the SRX device and the certificate can be installed by using the following command:

request security pki local-certificate load certificate-id test_prod filename /var/tmp/test-prod-cert.pem key /var/tmp/test-prod-cert-privatekey.pem passphrase xxxxxxxxx

Note: The above passphrase is the new one that was added when PEM key file was being created.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search