This guide explains how to extract a .pem file from a .p12 file using OpenSSL and troubleshoot common errors encountered during the process.
Run the following command to extract the .pem file:
openssl pkcs12 -in /Users/dvuiw/Desktop/customer.p12 -nokeys -out /Users/dvuiw/Desktop/certicate.pem -nodes -password pass:123456789Error verifying PKCS12 MAC; no PKCS12KDF support.
Use -nomacver if MAC verification is not required.Skip MAC verification by adding the -nomacver option:
openssl pkcs12 -in /Users/dvuiw/Desktop/customer.p12 -nokeys -out /Users/dvuiw/Desktop/certicate.pem -nodes -password pass:123456789 -nomacverError outputting keys and certificates
C0FA52EA01000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (PKCS12KDF : 0), Properties (<null>)
C0FA52EA01000000:error:1180006B:PKCS12 routines:PKCS12_PBE_keyivgen_ex:key gen error:crypto/pkcs12/p12_crpt.c:55:Enable the legacy provider in OpenSSL.
-
Locate the OpenSSL Configuration File:
openssl version -d
Output:
OPENSSLDIR: "/opt/homebrew/etc/openssl@3" -
Edit the Configuration File: Open the OpenSSL configuration file for editing:
vi /opt/homebrew/etc/openssl@3/openssl.cnf
Add the following sections to enable the legacy provider:
[default_sect] activate = 1 [legacy_sect] activate = 1 -
Export the Configuration Path:
export OPENSSL_CONF=/opt/homebrew/etc/openssl@3/openssl.cnf -
Re-run the Command:
openssl pkcs12 -in /Users/dvuiw/Desktop/customer.p12 -nokeys -out /Users/dvuiw/Desktop/certicate.pem -nodes -password pass:123456789 -nomacver
To check the expiration date of the certificate, use one of the following commands:
openssl x509 -enddate -noout -in certicate.pemcat certicate.pem | openssl x509 -noout -enddatenotAfter=Dec 6 14:54:52 2026 GMT- Ensure that the OpenSSL version you are using supports the necessary legacy algorithms.
- Use the
-nomacveroption only if MAC verification is not a strict requirement for your use case.