The purpose of this topic is to provide instructions on how to generate a p12 keystore file utilizing OpenSSL – a third party utility.

Additional information

Please note that OpenSSL is not a B2B Payments product, and is only used in this example for illustration purposes.

In order to create a valid p12 file, you will need:

Renewed XiSecure Client Certificate

Existing Private Key (along with private key password)

OpenSSL to generate the p12 file via command :


OpenSSL can be run on a Windows-based machine. It can be, but does not necessarily need to be installed on the same server where PAS is installed.

You can use the same instance of OpenSSL to generate p12 files for QA and Production, as long as the correct Client Certificate/private key combination is used.


1.Download and install Microsoft C++ Redistributable (required for the latest version of Open SSL).

a)The link below is a separate download for Microsoft redistributable components that may be needed as they are required for the latest release of OpenSSL:


2.Download and install the OpenSSL Tool.

b)We recommend downloading the latest version of OpenSSL from the following link:


3.Once OpenSSL is installed, execute a command prompt session (ie. Start-> Run-> cmd) and navigate to the OpenSSL program directory (C:\OpenSSL-Win32\bin).

Execute the appropriate OpenSSL command:

 openssl> pkcs12 –export –in [cert_location\client_cert.pem] –inkey cert_privkey.pem –out        cert.p12

Note: When building the command per above example, indicate the certificate location (‘C:\Certs’        for instance) in the cert_location section, and replace the certificate name placeholder with a        relevant company name.

 A valid command would look like this:

 openssl> pkcs12 –export –in [c:\cert\companyname.pem] –inkey companyname.privkey.pem        –out companyname.p12

4.Once the above is executed, the process will ask you to enter the existing private key password. A password associated with the new p12 file is also generated during this process (Export Password).

See example below:


Please take note of the Export Password associated with this new p12, as it may be need to be        configured in the API making the web services call.
The new P12 file can be found in the directory where OpenSSL was executed from (for instance,        C:\OpenSSL-Win32\bin).

Related topics or other references


Revision history and approvals

Revision Date

Change Description

Author Name

Approver Name


 YES or NO?

Approval Date



Lanre Sewoniku