Openssl pkcs12 keeps removing the PEM passphrase from keystore’s entry


OpenSSL 1.0.1e 11 Feb 2013

Generating a self-signed certificate:

openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem -days

During the process a PEM passphrase is requested:

Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:

There are 2 resulting files after successful completion in PEM format:

key.pem, cert.pem

The private key (key.pem) is in PKCS#8 format and the starting line reads:


Now I am trying to combine the certificate, as well as the related private key, into a PKCS#12 keystore and protect the keystore with a password. Note – from my understanding this should effectively enforce requesting a password during read access, as well as a passphrase for the private key of the according entry:

openssl pkcs12 -export -inkey key.pem -in cert.pem -out keystore.p12

Upon execution I am asked of the following:

Enter pass phrase for key.pem:
Enter Export Password:
Verifying – Enter Export Password:

However, it is my understanding that the passphrase should remain intact for the private key that is now being stored in the keystore.p12 file. Here is how I try to read the contents of the keystore:

openssl pkcs12 -nodes -info -in keystore.p12

The output I get (only related to protecting the keystore with a password):

Enter Import Password:

And lists the certificate, as well as the private key, in PEM format without requesting the passphrase for the latter. That is basically the problem. The PEM passphrase is no longer there for the private key. What am I doing wrong or how can I fix this? Thank you.

Best Answer

There's nothing wrong. That's how PKCS12 works. PKCS12 is format for securely transporting certificate chains and private keys between tokens. Protection/encryption of private key is done by passphrase you entered when asked for 'Enter Export Password'. Nothing like twice encrypted keys.

EDIT: Omit -nodes option. That turns off encryption of private key.