The previous example to create the database server's keystore used three PEM input files, one
with the database server's private key, one with the database server's user certificate that
corresponds to the private key, and one PEM file with the root CA certificate. An alternative
way is to first combine all three input files into a single PEM file and then use it as single
input file to create the keystore.
The output file from the extract command in the example above in fact is a single PEM file
that contains everything for the database server's keystore. Therefore, it can be used to
re-create the database server's keystore, in a different output file, with the following
command:
$ openssl pkcs12 -export -in s1.ext4.pem -passin pass:s1extpw \
> -name server1 -caname rootCA1 \
> -out server1.extracted.p12 -passout pass:s1passwd
The command reads the PEM input file "s1.ext4.pem" that was created with the extract command
in the previous example. Because in this PEM file the private key is PBE protected, the password
"s1extpw" must be given with the option "-passin pass:...". The output is written to the new
PKCS #12 keystore file "server1.extracted.p12" and for this keystore the password "s1passwd" is
specified with the option "-passout pass:...". The options "-name server1" and "-caname rootCA1"
provide the values for the friendly name attributes of the SafeBag containers in the keystore.
The name "server1" is used for the two SafeBags containing the private key and the corresponding
user certificate. The name "rootCA1" is used for the SafeBag holding the CA
certificate.
Note: The options "-name ..." and "-caname ..." must be provided. Without these
options, the SafeBags in the keystore would not have a friendly name attribute and hence the
keystore would not work as expected during the TLS handshake. It could be argued, that the
command could use the human-readable information in the PEM input file, as this also contains
the friendly name attributes. However, this human-readable information is not really part of
the PEM content. The "openssl pkcs12" command ignores such additional information and uses only
the PEM content of the input file.
It becomes obvious, that the command also works with an input file that just contains the PEM
content, including the PEM header and footer lines (i.e. without the human-readable information
that was added by the extract command). Therefore, it is also possible to simply concatenate
several PEM files with a private key, corresponding user certificates and several CA
certificates into a single file, e.g. using the "cat" command. Such a combined PEM file can be
used as single input file for the above command.