~~NOTOC~~
====== Scenario 12.2: PFX/PKCS#12 Export ======

<WRAP round info>
**Categoria:** [[.:start|Import/Export]] \\
**Complessita:** ⭐⭐⭐ (Media) \\
**Prerequisiti:** Certificato con Private Key \\
**Tempo stimato:** 15-20 minuti
</WRAP>

----

===== Descrizione =====

Questo scenario descrive l'**export e import in formato PFX/PKCS#12**. PFX (Personal Information Exchange) e il formato standard per Windows e .NET per memorizzare certificati insieme a chiavi private e opzionalmente la catena di certificati in un file protetto da password.

**Caratteristiche PFX/PKCS#12:**
  * **Contenuto:** Certificato + Private Key + Chain
  * **Encoding:** Binary (ASN.1/DER)
  * **Crittografia:** Protetto da password
  * **Estensioni:** .pfx, .p12

----

===== Code-Esempio: Creare PFX =====

<code csharp>
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using System.Security.Cryptography.X509Certificates;

using var ctx = PqCryptoContext.Initialize();

// Caricare certificato e chiave
var cert = ctx.LoadCertificate("server.crt.pem");
var privateKey = ctx.LoadPrivateKey("server.key.pem", "KeyPassword!");

// Combinare certificato con chiave
var certWithKey = ctx.CombineCertificateAndKey(cert, privateKey);

// Esportare PFX
byte[] pfxBytes = certWithKey.Export(X509ContentType.Pfx, "PfxPassword123!");
File.WriteAllBytes("server.pfx", pfxBytes);

Console.WriteLine("PFX creato: server.pfx");
</code>

----

===== Code-Esempio: PFX con Chain =====

<code csharp>
public class PfxExporter
{
    public byte[] ExportWithChain(
        X509Certificate2 certificate,
        X509Certificate2Collection chain,
        string password,
        PfxExportOptions options = null)
    {
        options ??= PfxExportOptions.Default;
        using var ctx = PqCryptoContext.Initialize();

        // Creare collection per export
        var exportCollection = new X509Certificate2Collection();
        exportCollection.Add(certificate);

        // Aggiungere chain (senza Root, se desiderato)
        foreach (var caCert in chain)
        {
            if (options.IncludeRoot || !IsSelfSigned(caCert))
            {
                exportCollection.Add(caCert);
            }
        }

        // Esportare PFX
        var pfxBytes = exportCollection.Export(X509ContentType.Pfx, password);

        Console.WriteLine($"PFX creato con {exportCollection.Count} certificati");
        return pfxBytes;
    }

    private bool IsSelfSigned(X509Certificate2 cert)
    {
        return cert.Subject == cert.Issuer;
    }
}
</code>

----

===== Code-Esempio: Importare PFX =====

<code csharp>
using var ctx = PqCryptoContext.Initialize();

// Caricare PFX
var pfxBytes = File.ReadAllBytes("server.pfx");
var cert = new X509Certificate2(
    pfxBytes,
    "PfxPassword123!",
    X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet
);

Console.WriteLine($"Subject: {cert.Subject}");
Console.WriteLine($"Ha Private Key: {cert.HasPrivateKey}");

// Estrarre Private Key
if (cert.HasPrivateKey)
{
    var privateKey = cert.GetRSAPrivateKey()
        ?? cert.GetECDsaPrivateKey()
        ?? (AsymmetricAlgorithm)ctx.GetPqPrivateKey(cert);

    Console.WriteLine($"Tipo chiave: {privateKey.GetType().Name}");
}

// Estrarre chain da PFX
var collection = new X509Certificate2Collection();
collection.Import(pfxBytes, "PfxPassword123!", X509KeyStorageFlags.DefaultKeySet);

Console.WriteLine($"Certificati in PFX: {collection.Count}");
foreach (var c in collection)
{
    Console.WriteLine($"  - {c.Subject}");
}
</code>

----

===== PFX con OpenSSL =====

<code bash>
# Creare PFX da file PEM
openssl pkcs12 -export \
    -out server.pfx \
    -inkey server.key \
    -in server.crt \
    -certfile chain.pem \
    -passout pass:MyPassword

# PFX con algoritmo moderno (AES-256)
openssl pkcs12 -export \
    -out server.pfx \
    -inkey server.key \
    -in server.crt \
    -certfile chain.pem \
    -aes256 \
    -passout pass:MyPassword

# Ispezionare PFX
openssl pkcs12 -info -in server.pfx -passin pass:MyPassword

# Estrarre PFX
openssl pkcs12 -in server.pfx \
    -out combined.pem \
    -nodes \
    -passin pass:MyPassword
</code>

----

===== Requisiti PFX specifici per settore =====

^  Settore  ^  Key Storage  ^  Export  ^  Particolarita  ^
| **Windows Server** | MachineKeySet | Exportable | IIS SSL-Binding |
| **Azure** | UserKeySet | Non-Exportable | App Service |
| **Code Signing** | MachineKeySet | Non-Exportable | Authenticode |
| **Smart Card** | Hardware | Non-Exportable | Certificati PIV |

----

===== Scenari correlati =====

^  Relazione  ^  Scenario  ^  Descrizione  ^
| **Alternativo** | [[.:pem_export|12.1 PEM Export]] | Formato Linux |
| **Correlato** | [[.:pkcs7_chain|12.3 PKCS#7 Chain]] | Solo certificati |
| **Prerequisito** | [[it:int:pqcrypt:szenarien:zertifikate:server_cert|3.1 Certificato server]] | Creare certificato |

----

<< [[.:pem_export|← 12.1 PEM Export]] | [[.:start|↑ Import/Export]] | [[.:pkcs7_chain|12.3 PKCS#7 Chain →]] >>

{{tag>scenario import export pfx pkcs12 windows}}

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//