When I import a .p12 into Chrome, it requires a password. Once supplied, it is now stored in Chrome's key store and I never need to import my password again to use it.
How does Chrome manage this? Does it store the password and apply it each use from then on? Or does it extract the certificate and private key, storing them somewhere?
1 Answer
Most programs1 use the PKCS#12 file as only an import/export container.
When you import the file, its contents are processed as individual certificates or private keys, and they're stored in whatever format the program uses. The original PKCS#12 file and its password are then discarded.
Chrome generally uses the OS native storage where available – you can open the Certificate Manager (certmgr.msc) on Windows, Keychain on macOS, and see your certificates there.
On Linux/Unix systems, Chrome uses the NSS database format (same format as Firefox but different location); it can be accessed with certutil -d ~/.pki/nssdb.
1 (Well, Java 10+ also directly uses the same PKCS#12 format for its 'keystore' files, but that's somewhat of an exception and unrelated to Chrome anyway.)
2