Hi all,

First of all, I am not really sure if I post this in the correct forum so please forgive me if this does not
belong here.

I have some questions about the PKCS#12 files and really appreciate it if somebody could please try to clear the content and usage for me. If I understand correctly a PKCS#12 file are some sort of container file which contain:

  • a certificate (signed by a CA. This certificate is sent to client to establish a SSL connection)
  • a private key
  • a public key.

Is this correct?

If I am correct a SSL (ex. https/ssliop) connection between a client and server is created as follows :

  • client requests SSL connection from a server
    (ex. client browser requests a https connection from a website)
  • the server sends the certificate (which contains a public key) to the client
    (ex. Web Site sends certificate to browser)
  • the client verifies if the Certificate Authority (CA) who issued the certificate (so meaning the Certificate
    which was received from the server) is a trusted Certificate, if it is still valid and if it matches the server
    identity (ex. website).
    The client checks if the CA root certificate exists in the client trusted certificate store.
    (ex. is the root CA certificate stored in the Windows certificate store / is it in the Internet Explorer certificate
  • if ok then client uses the public key which is stored in the server certificate to encrypt data for the server
  • the server uses his private key to decrypt the data

For me it is confusing why the PKCS#12 file has a certificate plus the keys…
I think I get the certificate because I would expect that the PKCS#12 certificate is sent to the client to setup a
SSL connection but are the public key and private key stored in the PKCS#12 file? What are the private and
public keys used for?

Thank you very much in advance,


Hi Licenseplate,

PKCS#12 is just a certificate/public/private key store as you said. Both keys are created together and are both generated by the same algorithm. The public key and private key are stored in the file, and can be extracted. Encryption using a private key/public key pair ensures that the data can be encrypted by one key but can only be decrypted by the other key pair. It can be certified encrypted with the private key and only the associated public key will decrypt it.

Hi sAyer,

Thanks a lot for your reply but why are the certificate (which contains the public key) plus a separate
public key in this PKCS#12 file? Wouldn’t just the certificate plus private key be sufficient?

I understand that the private key is needed to decrypt the data which the client encrypted by using
the public key which is stored in the certificate but don’t understand why there is a separate public
key in this PKCS#12 file.