Sample code for 30+ languages & platforms
Tcl

Get Certificates from .p12 / .pfx

See more PFX/P12 Examples

A PKCS12 (.p12 / .pfx) is a container for holding a certificate, its private key, and the certs in the chain of authentication up to and possibly including the root CA cert. A .p12 is not required to contain certain things. It will contain whatever the creator of the .p12 decided to include. It's possible to contain just a private key, just a cert, many certs without private keys, or many certs with many private keys. Usually, a .p12 contains one certificate, its associated private key, and certificates in the chain of authentication.

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

set success 0

set pfx [new_CkPfx]

set success [CkPfx_LoadPfxFile $pfx "qa_data/pfx/test.pfx" "pfx_password"]
if {$success == 0} then {
    puts [CkPfx_lastErrorText $pfx]
    delete_CkPfx $pfx
    exit
}

# Iterate over the certs contained in the PFX
set cert [new_CkCert]

set numCerts [CkPfx_get_NumCerts $pfx]
set i 0
while {$i < $numCerts} {

    CkPfx_CertAt $pfx $i $cert

    puts "--- $i ---"
    puts [CkCert_subjectDN $cert]
    # Is this a root cert, or self-signed?
    puts "Root: [CkCert_get_IsRoot $cert]"
    puts "Self-Signed: [CkCert_get_SelfSigned $cert]"

    # If this certificate is not the root (self-signed), then get the issuer.
    # If the issuing certificate is contained in the PFX, then it will be found here..
    if {[CkCert_get_SelfSigned $cert] != 1} then {
        # issuer is a CkCert
        set issuer [CkCert_FindIssuer $cert]
        if {[CkCert_get_LastMethodSuccess $cert] == 0} then {
            puts "Issuer not found."
        }         else {
            puts "Issuer: [CkCert_subjectDN $issuer]"
            delete_CkCert $issuer

        }

    }

    set i [expr $i + 1]
}

# Usually, the user certificate is at index 0, its issuer is at index 1, etc. until we get to the root certificate.

delete_CkPfx $pfx
delete_CkCert $cert