Questo scenario descrive l'export e import in formato PFX/PKCS#12. PFX (Personal Information Exchange) e il formato standard per Windows e .NET per memorizzare certificati insieme a chiavi private e opzionalmente la catena di certificati in un file protetto da password.

Caratteristiche PFX/PKCS#12:

• Contenuto: Certificato + Private Key + Chain
• Encoding: Binary (ASN.1/DER)
• Crittografia: Protetto da password
• Estensioni: .pfx, .p12

using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using System.Security.Cryptography.X509Certificates;
 
using var ctx = PqCryptoContext.Initialize();
 
// Caricare certificato e chiave
var cert = ctx.LoadCertificate("server.crt.pem");
var privateKey = ctx.LoadPrivateKey("server.key.pem", "KeyPassword!");
 
// Combinare certificato con chiave
var certWithKey = ctx.CombineCertificateAndKey(cert, privateKey);
 
// Esportare PFX
byte[] pfxBytes = certWithKey.Export(X509ContentType.Pfx, "PfxPassword123!");
File.WriteAllBytes("server.pfx", pfxBytes);
 
Console.WriteLine("PFX creato: server.pfx");

public class PfxExporter
{
    public byte[] ExportWithChain(
        X509Certificate2 certificate,
        X509Certificate2Collection chain,
        string password,
        PfxExportOptions options = null)
    {
        options ??= PfxExportOptions.Default;
        using var ctx = PqCryptoContext.Initialize();
 
        // Creare collection per export
        var exportCollection = new X509Certificate2Collection();
        exportCollection.Add(certificate);
 
        // Aggiungere chain (senza Root, se desiderato)
        foreach (var caCert in chain)
        {
            if (options.IncludeRoot || !IsSelfSigned(caCert))
            {
                exportCollection.Add(caCert);
            }
        }
 
        // Esportare PFX
        var pfxBytes = exportCollection.Export(X509ContentType.Pfx, password);
 
        Console.WriteLine($"PFX creato con {exportCollection.Count} certificati");
        return pfxBytes;
    }
 
    private bool IsSelfSigned(X509Certificate2 cert)
    {
        return cert.Subject == cert.Issuer;
    }
}

using var ctx = PqCryptoContext.Initialize();
 
// Caricare PFX
var pfxBytes = File.ReadAllBytes("server.pfx");
var cert = new X509Certificate2(
    pfxBytes,
    "PfxPassword123!",
    X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet
);
 
Console.WriteLine($"Subject: {cert.Subject}");
Console.WriteLine($"Ha Private Key: {cert.HasPrivateKey}");
 
// Estrarre Private Key
if (cert.HasPrivateKey)
{
    var privateKey = cert.GetRSAPrivateKey()
        ?? cert.GetECDsaPrivateKey()
        ?? (AsymmetricAlgorithm)ctx.GetPqPrivateKey(cert);
 
    Console.WriteLine($"Tipo chiave: {privateKey.GetType().Name}");
}
 
// Estrarre chain da PFX
var collection = new X509Certificate2Collection();
collection.Import(pfxBytes, "PfxPassword123!", X509KeyStorageFlags.DefaultKeySet);
 
Console.WriteLine($"Certificati in PFX: {collection.Count}");
foreach (var c in collection)
{
    Console.WriteLine($"  - {c.Subject}");
}

# Creare PFX da file PEM
openssl pkcs12 -export \
    -out server.pfx \
    -inkey server.key \
    -in server.crt \
    -certfile chain.pem \
    -passout pass:MyPassword
 
# PFX con algoritmo moderno (AES-256)
openssl pkcs12 -export \
    -out server.pfx \
    -inkey server.key \
    -in server.crt \
    -certfile chain.pem \
    -aes256 \
    -passout pass:MyPassword
 
# Ispezionare PFX
openssl pkcs12 -info -in server.pfx -passin pass:MyPassword
 
# Estrarre PFX
openssl pkcs12 -in server.pfx \
    -out combined.pem \
    -nodes \
    -passin pass:MyPassword

« ← 12.1 PEM Export | ↑ Import/Export | 12.3 PKCS#7 Chain → »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional