Converting a PKCS#12 Certificate

The exported PKCS#12 file must be converted into separate root certificate, user certificate, and private key files.

Converting a Certificate

Convert the RACF generated PKCS#12 file from base64 to binary. At an Enterprise Developer command prompt, type:
```
openssl base64 -d -a -in <PKCS#12file> -out <PKCS#12file.bin>
```
Note: Ignore the warning that the openssl config file can not be opened.
Validate the output certificate to ensure that it is a valid PKCS#12 format. To perform the validation, type:
```
openssl pkcs12 -in <PKCS#12file.bin> -noout
```
The following message is displayed:
```
Enter Import Password:
```
Type the pass phrase of the certificate. This should have been provided by your system programmer. If the certificate is validated the following message is displayed:
```
MAC verified OK
```
To convert the verified PKCS#12 binary certificate to PEM format, type:
```
openssl pkcs12 -in <PKCS#12file.bin> -out <PKCS#12file.pem>
```
The following message is displayed:
```
Enter Import Password:
```
Type the pass phrase of the certificate used in the earlier steps.
You are then prompted to type a new pass phrase for the PEM certificate:
```
Enter PEM pass phrase:
```
Note: Keep a note of the pass phrase used for the PEM certificate.
The content of the PEM certificate must be split into three separate files. Open the PKCS#12 PEM file in a text editor and copy each section of the file into its own file:
1. The first block is the root certificate, copy the text between and including the begin and end markers:
```
-----BEGIN CERTIFICATE-----
MIICIzCCAYygAwIBAgIBADANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwl6MTE0
IFJBQ0YwHhcNMTUwNDMwMDQwMDAwWhcNMjAwNTAxMDM1OTU5WjAUMRIwEAYDVQQD
Ewl6MTE0IFJBQ0YwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM1/erilx5sW
rLh33cEg2rcG5ParEOl3gGc0DmNNFzzldAFje8hMyTfrONUtOaP071o9MrTNXqYl
s1XxMi5FTWRdpyaCpVoz/SijfDcZn5yhHS4MnjHJMSIGGmdL6GWRI8b6XOQAb/NT
49rGUyZ7AEesOcFzP5QJPHUHY7uq35ONAgMBAAGjgYQwgYEwPwYJYIZIAYb4QgEN
BDIWMEdlbmVyYXRlZCBieSB0aGUgU2VjdXJpdHkgU2VydmVyIGZvciB6L09TIChS
QUNGKTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR7TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
iR3ggglnf2gzjIINBnXt0pLsqC0wDQYJKoZIhvcNAQEFBQADgYEAmIxFhG//qowm
etlJFYgmlSljwJ8ADUHK7vokLTTloSdcqPkkfLwRMINu0EFqrQAwy3JhSB3CqWWI
j6Dzi4vco87LQ3K7xZz6YswhE+6/JowDIijR7eEXBdNYgn/9RzWyz9/gLrSL/wBO
9pubetQcKseLbJ5Be/q3Frm7GnLjoYs=
-----END CERTIFICATE-----
```
  Paste the copied text into a file and save the file with a name that clearly identifies it; for example, servername-root-cert.pem.
2. The second block is the user certificate. Copy the text between and including the second begin and end markers.
  Paste the copied text into a file and save the file with a name that clearly identifies it; for example, servername-user-cert.pem.
3. The third block is the private key. Copy the text between and including the third begin and end markers.
  Paste the copied text into a file and save the file with a name that clearly identifies it; for example, servername-user-key.pem.
The private key file must be converted from PEM to DER format, at the Enterprise Developer command prompt, type:
```
openssl pkcs8 -topk8 -nocrypt -in <servername-user-key.pem> -out <servername-user-key.der> -outform der
```
You are then prompted to type a new pass phrase for the PEM certificate:
```
Enter pass phrase for servername-user-key.pem:
```
You can use a new pass phrase, or you could reuse the original pass phrase supplied with the PKCS#12 file.
You now have the following three files:
- servername-root-cert.pem
- servername-user-cert.pem
- servername-user-key.der