12. Import/Export
Scenarios: 4
FFI Functions: ~30
Status: ⏳ Planned
This category encompasses all scenarios for importing and exporting certificates and keys. PEM, PFX/PKCS#12, PKCS#7 and interoperability with other systems.
Scenarios
| ID | Scenario | Description | Complexity | Status |
|---|---|---|---|---|
| 12.1 | PEM Export/Import | Base64-encoded certificates | ⭐⭐ | ⏳ |
| 12.2 | PFX/PKCS#12 | Certificate + Private Key Bundle | ⭐⭐⭐ | ⏳ |
| 12.3 | PKCS#7 Chain | Export certificate chain | ⭐⭐ | ⏳ |
| 12.4 | Interoperability | OpenSSL, Windows, Java | ⭐⭐⭐⭐ | ⏳ |
Formats
flowchart TB
subgraph CERT["📜 Certificates"]
PEM_C[".crt.pem
Base64 + Header"] DER_C[".crt.der
Binary DER"] end subgraph KEY["🔑 Keys"] PEM_K[".key.pem
PKCS#8 Base64"] DER_K[".key.der
PKCS#8 Binary"] ENC_K[".key.enc.pem
Encrypted PKCS#8"] end subgraph BUNDLE["📦 Bundles"] PFX[".pfx / .p12
Cert + Key"] P7B[".p7b
Cert Chain"] end PEM_C <--> DER_C PEM_K <--> DER_K PEM_K <--> ENC_K PEM_C --> PFX PEM_K --> PFX PEM_C --> P7B style PFX fill:#e8f5e9 style P7B fill:#e3f2fd
Base64 + Header"] DER_C[".crt.der
Binary DER"] end subgraph KEY["🔑 Keys"] PEM_K[".key.pem
PKCS#8 Base64"] DER_K[".key.der
PKCS#8 Binary"] ENC_K[".key.enc.pem
Encrypted PKCS#8"] end subgraph BUNDLE["📦 Bundles"] PFX[".pfx / .p12
Cert + Key"] P7B[".p7b
Cert Chain"] end PEM_C <--> DER_C PEM_K <--> DER_K PEM_K <--> ENC_K PEM_C --> PFX PEM_K --> PFX PEM_C --> P7B style PFX fill:#e8f5e9 style P7B fill:#e3f2fd
Format Overview
| Format | Extension | Contains | Encrypted | Usage |
|---|---|---|---|---|
| PEM | .pem, .crt, .key | Single objects | Optional | Linux, OpenSSL |
| DER | .der, .cer | Single objects | No | Binary protocols |
| PFX/PKCS#12 | .pfx, .p12 | Cert + Key + Chain | Yes | Windows, Java |
| PKCS#7 | .p7b, .p7c | Certificate chain | No | Chain distribution |
| JKS | .jks | Java KeyStore | Yes | Java applications |
Interoperability
| From/To | OpenSSL | Windows | Java | .NET |
|---|---|---|---|---|
| OpenSSL | - | PFX | PKCS#7 → JKS | PEM |
| Windows | PFX → PEM | - | PFX | PFX |
| Java | JKS → PEM | JKS → PFX | - | PFX |
| .NET | PEM | PFX | PFX | - |
Quick Start Code
PEM Export
// Certificate as PEM string certPem = certificate.ToPem(); File.WriteAllText("server.crt.pem", certPem); // Private Key encrypted as PEM string keyPem = privateKey.ToEncryptedPem( password: securePassword, algorithm: EncryptionAlgorithm.Aes256Gcm ); File.WriteAllText("server.key.pem", keyPem);
PFX/PKCS#12 Export
// Create PFX with certificate, key and chain byte[] pfxData = ctx.ExportToPfx( certificate: serverCert, privateKey: serverKey, chain: new[] { intermediateCert, rootCert }, password: pfxPassword, friendlyName: "Server Certificate" ); File.WriteAllBytes("server.pfx", pfxData);
PFX Import
// Load PFX var (cert, key, chain) = ctx.ImportFromPfx( pfxPath: "server.pfx", password: pfxPassword ); Console.WriteLine($"Certificate: {cert.Subject}"); Console.WriteLine($"Chain length: {chain.Length}");
PKCS#7 Chain Export
// Certificate chain as P7B byte[] p7bData = ctx.ExportChainToPkcs7( certificates: new[] { serverCert, intermediateCert, rootCert } ); File.WriteAllBytes("chain.p7b", p7bData);
OpenSSL Commands
PEM → PFX
openssl pkcs12 -export \ -in server.crt.pem \ -inkey server.key.pem \ -certfile chain.pem \ -out server.pfx \ -name "Server Certificate"
PFX → PEM
# Extract certificate openssl pkcs12 -in server.pfx -clcerts -nokeys -out server.crt.pem # Extract private key openssl pkcs12 -in server.pfx -nocerts -out server.key.pem # Extract chain openssl pkcs12 -in server.pfx -cacerts -nokeys -out chain.pem
DER → PEM
openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM
Related Categories
| Category | Relationship |
|---|---|
| 11. Key Management | Export keys |
| 4. Certificate Management | Backup/Restore |
| 10. TLS/mTLS | Deploy certificates |
« ← 11. Key Management | ↑ Scenarios | 🏠 Home → »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: on 2026/01/30 at 06:28 AM
