PKCS#12 Storage

A PKCS#12 key storage is a password protected key container that associates keys and X.509 certificates with aliases – often the Thumbprint of the certificate. A common file name extension used is .p12 or .pfx.

|  Alias 1 |  Certificate 1 |
|          |  Key 1         |
|  Alias 2 |  Certificate 2 |
|  Alias 3 |  Key 3         |

In OpenSSL Library for .NET the class DidiSoft.OpenSsl.PfxStore represents a PKCS#12 store. The samples below demonstrate its usage.

Table of contents

Create empty

To create an empty PKCS#12 store we just use the empty parameter constructor:

PfxStore store = new PfxStore();


In order to load an existing .pfx or .p12 store file we must know its protection password in advance:

PfxStore store = PfxStore.Load("mystore.pfx", "my password");

If the provided password is wrong a DidiSoft.OpenSsl.Exceptions.WrongPasswordException will be thrown.


Saving the PKCS#12 store requires a protection password to be specified. This is also the way to change the password – by saving it with the new one.

store.Save("myca.pfx", "my ca password");

List of Entries

List of Aliases

The list of aliases contained inside the key store can be retrieved with:

string[] aliases = store.GetAliases();

or traverse aliases one by one with:

for (int i = 0; i < store.AliasesCount; i++)

For each alias we can get the corresponding certificate or private key with:

DidiSoft.OpenSsl.X509Certificate cert = store.GetCertificate(alias);
DidiSoft.OpenSsl.PrivateKey key = store.GetPrivateKey(alias);

List of Certificates and keys

We can also get only the Certificates:

DidiSoft.OpenSsl.X509.Certificate[] certificates = store.GetCertificates();

or only the private keys:

DidiSoft.OpenSsl.PrivateKey[] certificates = store.GetPrivateKeys();



This article introduced the PfxStore class, a key container for private keys and X.509 certificates. This storage is especially useful for protecting a Certificate Authority private key and its certificate.