Google-chrome – Exporting a certificate in PKCS12 format from firefox

certificatefirefoxgoogle-chrome

I have imported a certificate into firefox, and I want to export it into PKCS12 format. The only options that I find are PKCS7 , PEM and DIR. and not PKCS12. I doubt that the certificate has no private key, so is there a way to check that?

EDIT
My problem was in the Chrome browser, which I used when I requested the certificate. It seems that it has a problem with storing the private key. I repeated the request with Firefox and things went fine.

Best Answer

You can view Certificate contents in Firefox
(Tools -> Options -> Advanced -> Encryption -> View Certs -> Yours/Authority/etc -> <cert> -> View -> Details -> Certificate Fields -> Public Key)

If you can export to PEM, you can convert that to PKCS12

# export mycert.pem as PKCS#12 file, mycert.pfx
openssl pkcs12 -export \
  -out mycert.pfx -in mycert.pem \
  -name "My Certificate"

Update: Examples of using OpenSSL

Generate a self-signed certificate

  $ openssl req \
  >   -x509 -nodes -days 365 \
  >   -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

View it's contents

  $ openssl x509 -in mycert.pem -noout -text

View the PEM file

  $ cat mycert.pem
  -----BEGIN RSA PRIVATE KEY-----
  MIICXAIBAAKBgQDa6JQOLkwoIGhTvcTSYX68Ddaq4hGk/61RSVELaVFJTNQYPB86
  …
  aPj0KoeFJ04/sLcZNZwGcC93rNA66xTICLtGbBXlM1U=
  -----END RSA PRIVATE KEY-----
  -----BEGIN CERTIFICATE-----
  MIICxTCCAi6gAwIBAgIJAOaxxgLFlypwMA0GCSqGSIb3DQEBBQUAMEwxCzAJBgNV
  …
  tz0TMEYxbGIscZbxeJxoK6pe5tOwXtdjStlcITzksdPV5rLp84aeJl4=
  -----END CERTIFICATE-----

Note that whilst a PEM file can contain both private key and a certificate, the private key isn't part of the X.509 certificate.

If the PEM exported by FF lacks the BEGIN and END markers around the Base64 encoded data, OpenSSL can't read the PEM file.

Here's CA certificate I exported from Firefox (*viewed in e.g. notepad)

-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
…
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----

(ellipsis … where data omitted for brevity)

I can view that OK using openssl x509 -in ff.crt -noout -text (I cut & pasted from Windows to Linux but you can install openssl on Windows too)