Actually, according to Wikipedia, the PKCS #12 format (*.p12) can be used as a keystore within Java, as explained here: http://en.wikipedia.org/wiki/PKCS
"PKCS #12: Defines a file format commonly used to store private keys with accompanying public key certificates, protected with a password-based symmetric key. PFX is a predecessor to PKCS#12. This container format can contain multiple embedded objects, e.g. multiple certificates. Usually protected/encrypted with a password. Can be used as a format for the Java key store. Usable by Tomcat, but NOT by Apache." So I guess it's both--a private key/certificate pair, but if one wanted, multiple certificates--and I guess multiple private keys--could be stored within the same file. Glen -----Original Message----- From: Mazza, Glen R. Sent: Mon 12/28/2009 6:19 PM To: openssl-users@openssl.org Subject: RE: (newbie) private key vs. keystore confusion OK, apparently then a "keystore" (as defined here[1]) is really just a Java language-specific construct, and the .p12 is a certificate/private key pair (not a keystore). Thanks all for your responses, Glen [1] http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html ________________________________ From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Anand Patel Sent: Sunday, December 27, 2009 9:10 PM To: openssl-users@openssl.org Subject: Re: (newbie) private key vs. keystore confusion Not sure what you mean by keystore but above command combines certificate and key in PKCS12 format "service.p12". -Anand On Thu, Dec 24, 2009 at 10:33 AM, Mazza, Glen R. <glen.r.ma...@saic.com> wrote: Hello, I'm confused somewhat about the workings of OpenSSL, in particular the following command: openssl pkcs12 -export -inkey servicekey.pem -in servicecert.pem -out service.p12 -name myservicekey -passin pass:sspass -passout pass:skpass Question: Does the above command create a private key named "service.p12" or a keystore named "service.p12" that has a private key within it? I'm not sure what service.p12 is -- is it a keystore or a private key? If it is a keystore containing a private key, just to confirm, there is no real way with OpenSSL to create a private key without its enclosing keystore, correct? I.e., it is usual and normal for OpenSSL to create its private keys within keystores. But if it is just a private key, does OpenSSL provide the ability to create a keystore that can be used to house this private key? (What would the command be for that)? Thanks, Glen
