Storing and retrieving certificate chains using openssl

Question

Following this question I managed to create a number of certificates in a hierarchy of root, intermediate and end certificates:

# Create root RSA key pair of 1024 bits as well as a certificate signing request
openssl.exe req -new -newkey rsa:1024 -nodes -out caRoot.csr -keyout caRoot.key
# Create root certificate and store into .pem format
openssl x509 -trustout -signkey caRoot.key -days 365 -req -in caRoot.csr -out caRoot.pem
# Create intermediate certificate RSA key pair
openssl genrsa -out clientIntermediate.key 1024
# Create intermediate CSR
openssl req -new -key clientIntermediate.key -out clientIntermediate.csr
# Do the same thing for the end certificate
openssl req -new -keyout clientEnd.key -out clientEnd.csr -days 365
# Create a certificate request
openssl ca -policy anyPolicy -keyfile clientIntermediate.key -cert clientIntermediate.pem -out clientEnd.pem -infiles clientEnd.request
# Create and sing certificate
openssl ca -policy anyPolicy -keyfile clientIntermediate.key -cert clientIntermediate.pem -out caRoot.pem -infiles clientEnd.csr

How is it possible to create a certificate chain as described above and store it entirely in PKCS#12 format?

Answer 1

The "latter" in my description, privatekey AND cert chain, is PKCS#12 as you originally asked. (PKCS#7 handles the case of ONLY cert chain.) To create PKCS#12 most simply, use the commandline operation pkcs12 with the -export option. There are several ways to combine the options of this command, but two simple ways for a 3-level scenario like yours (root, mid, leaf) are:

openssl pkcs12 -export -in leafcert.pem -inkey leafkey.pem -certfile midcert.pem -CAfile rootcert.pem -chain -out my.p12 

cat leafcert.pem leafkey.pem midcert.pem rootcert.pem | openssl pkcs12 -export -out my.p12 

(substitute your filenames). Full details in the manpage, available on any Unix system where OpenSSL is (fully) installed or online at https://www.openssl.org/docs/man1.0.2/apps/pkcs12.html (or choose earlier version from https://www.openssl.org/docs/manpages.html if needed).

For completeness, if you do/did need the chain without the privatekey, it is

openssl crl2pkcs7 -nocrl -certfile leafcert.pem -certfile midcert.pem -certfile rootcert.pem -out my.p7b