PKCS#12
What is PKCS#12?
PKCS#12A password-protected file format (.pfx / .p12) that bundles a private key with its certificate chain, standardised by RFC 7292.
PKCS#12, originally published by RSA Laboratories and revised by the IETF in RFC 7292, defines an ASN.1/DER container for storing and transferring a private key together with the X.509 certificate chain that authenticates it. The container, commonly seen as .pfx or .p12, holds one or more SafeBags (key bags, certificate bags, CRL bags) encrypted under a password-derived key. Historically PKCS#12 used weak PKCS#5 v1 PBE constructions; modern implementations should use PBES2 with AES-CBC or AES-GCM and a PRF such as HMAC-SHA-256, as recommended by NIST and OpenSSL 3. PKCS#12 is the universal way to import server certificates, S/MIME credentials and TLS client certificates into Windows, macOS, Java keystores and HSM provisioning tools.
● Examples
- 01
Exporting an Apple Developer ID certificate and its private key from Keychain Access as a .p12 file.
- 02
Importing a TLS server certificate into Windows IIS by double-clicking a .pfx file.
● Frequently asked questions
What is PKCS#12?
A password-protected file format (.pfx / .p12) that bundles a private key with its certificate chain, standardised by RFC 7292. It belongs to the Cryptography category of cybersecurity.
What does PKCS#12 mean?
A password-protected file format (.pfx / .p12) that bundles a private key with its certificate chain, standardised by RFC 7292.
How does PKCS#12 work?
PKCS#12, originally published by RSA Laboratories and revised by the IETF in RFC 7292, defines an ASN.1/DER container for storing and transferring a private key together with the X.509 certificate chain that authenticates it. The container, commonly seen as .pfx or .p12, holds one or more SafeBags (key bags, certificate bags, CRL bags) encrypted under a password-derived key. Historically PKCS#12 used weak PKCS#5 v1 PBE constructions; modern implementations should use PBES2 with AES-CBC or AES-GCM and a PRF such as HMAC-SHA-256, as recommended by NIST and OpenSSL 3. PKCS#12 is the universal way to import server certificates, S/MIME credentials and TLS client certificates into Windows, macOS, Java keystores and HSM provisioning tools.
How do you defend against PKCS#12?
Defences for PKCS#12 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for PKCS#12?
Common alternative names include: PFX, .p12, .pfx.
● Related terms
- cryptography№ 831
PKCS#7
A binary format for packaging signed and/or encrypted data, standardised by the IETF as Cryptographic Message Syntax (CMS) in RFC 5652.
- cryptography№ 811
PEM Format
A textual encoding for cryptographic objects (keys, certificates, CRLs) defined by RFC 7468 that wraps Base64-encoded DER in BEGIN and END header lines.
- cryptography№ 065
ASN.1
Abstract Syntax Notation One: an ITU-T standard (X.680 series) that describes data structures used in cryptography and telecoms in a language-independent way.
- cryptography№ 805
PBKDF2
A password-based key derivation function defined in PKCS #5 / RFC 8018 that applies a pseudorandom function with a configurable iteration count and salt.