pkcs12 man page on DigitalUNIX

Man page or keyword search:  
man Server   12896 pages
apropos Keyword Search (all sections)
Output format
DigitalUNIX logo
[printable version]

pkcs12(1ssl)							  pkcs12(1ssl)

NAME
       pkcs12 - PKCS#12 file utility

SYNOPSIS
       openssl	pkcs12	[-export]  [-chain] [-inkey filename] [-certfile file‐
       name] [-name name] [-canamename] [-infilename] [-outfilename]  [-noout]
       [-nomacver]  [-nocerts]	[-clcerts] [-cacerts] [-nokeys] [-info] [-des]
       [-des3] [-idea] [-nodes]	 [-noiter]  [-maciter]	[-twopass]  [-descert]
       [-certpbe]  [-keypbe]  [-keyex] [-keysig] [-password arg] [-passin arg]
       [-passout arg] [-rand filename]

OPTIONS
       There are many options. The  meaning  of	 some  depends	on  whether  a
       PKCS#12	file  is being created or parsed. By default a PKCS#12 file is
       parsed. A PKCS#12 file can be created by using the -export option.

   PARSING OPTIONS
       This specifies filename of the PKCS#12  file  to	 be  parsed.  Standard
       input  is used by default.  The filename to write certificates and pri‐
       vate keys to, standard output by default. They are all written  in  PEM
       format.	 The  PKCS#12 file (i.e. input file) password source. For more
       information about the format of arg,  see  the  Pass  Phrase  Arguments
       section	in  openssl(1ssl).  The pass phrase source to encrypt any out‐
       puted private keys with. For more information about the format  of  arg
       see the Pass Phrase Arguments  section in openssl(1ssl).	 Inhibits out‐
       put of the keys and certificates to the	output	file  version  of  the
       PKCS#12	file.	Only output client certificates (not CA certificates).
       Only output CA certificates (not client certificates).  No certificates
       will  be	 output.   No private keys will be output.  Outputs additional
       information about the PKCS#12 file structure, algorithms used and iter‐
       ation  counts.	Uses  DES  to  encrypt private keys before outputting.
       Uses triple DES to encrypt private keys before outputting, this is  the
       default.	  Uses	IDEA  to encrypt private keys before outputting.  Does
       not encrypt the private keys.  Does not attempt to verify the integrity
       MAC  before  reading  the  file.	  Prompts  for	separate integrity and
       encryption passwords. Most software always assumes these are  the  same
       so this option will render such PKCS#12 files unreadable.

   FILE CREATION OPTIONS
       Specifies  that	a  PKCS#12  file  will	be created rather than parsed.
       Specifies the filename where the PKCS#12 file is written. Standard out‐
       put  is used by default.	 The filename to read certificates and private
       keys from, standard input by default. They must all be in  PEM  format.
       The  order  does	 not matter, but one private key and its corresponding
       certificate should be present. If additional certificates  are  present
       they  will also be included in the PKCS#12 file.	 The file to read pri‐
       vate key from. If not present then a private key must be present in the
       input file.  Specifies the “friendly name” for the certificate and pri‐
       vate key. This name is typically displayed in list  boxes  by  software
       importing  the  file.  A filename to read additional certificates from.
       Specifies the “friendly name” for other certificates.  This option  may
       be  used	 multiple  times  to specify names for all certificates in the
       order they appear. Netscape ignores friendly names  on  other  certifi‐
       cates  whereas MSIE displays them.  The PKCS#12 file (i.e. output file)
       password source. For more information about the format of arg, see  the
       Pass  Phase  Arguments	section	 in openssl(1ssl).  Pass phrase source
       used to decrypt any input private keys. For more information about  the
       format  of arg, see the Pass Phrase Arguments section in openssl(1ssl).
       If this option is present then an attempt is made to include the entire
       certificate  chain  of  the  user certificate. The standard CA store is
       used for this search. If the search fails  it  is  considered  a	 fatal
       error.	Encrypts the certificate using triple DES. This may render the
       PKCS#12 file unreadable by some export grade software. By  default  the
       private	key is encrypted using triple DES and the certificate using 40
       bit RC2.	 Allows the algorithm used to encrypt the private key and cer‐
       tificates  to  be  selected.  Although any PKCS#5 v1.5 or PKCS#12 algo‐
       rithms can be selected, it is advisable only to use PKCS#12 algorithms.
       See the list in the Notes section for more information.	Specifies that
       the private key is to be used for key exchange or just  signing.	  This
       option  is  only	 interpreted by MSIE and similar MS software. Normally
       export grade software will only allow 512 bit RSA keys to be  used  for
       encryption  purposes but arbitrary length keys for signing. The -keysig
       option marks the key for signing only. Signing only keys	 can  be  used
       for  S/MIME  signing,  authenticode  (ActiveX control signing)  and SSL
       client authentication, however due to a bug only	 MSIE  5.0  and	 later
       support	the  use  of  signing only keys for SSL client authentication.
       These options affect the iteration counts on  the  MAC  and  key	 algo‐
       rithms.	 Unless you wish to produce files compatible with MSIE 4.0 you
       should leave these options alone.

	      To discourage attacks by	using  large  dictionaries  of	common
	      passwords	 the  algorithm	 that  derives keys from passwords can
	      have an iteration count applied to it:  this  causes  a  certain
	      part  of the algorithm to be repeated and slows it down. The MAC
	      is used to check the file integrity but since it	will  normally
	      have  the	 same  password	 as the keys and certificates it could
	      also be attacked. By default both MAC and	 encryption  iteration
	      counts  are set to 2048, using these options the MAC and encryp‐
	      tion iteration counts can be set to 1, since  this  reduces  the
	      file security you should not use these options unless you really
	      have to. Most software  supports	both  MAC  and	key  iteration
	      counts.  MSIE  4.0  doesn't  support  MAC iteration counts so it
	      needs the -nomaciter option.  This option is included  for  com‐
	      patibility  with	previous versions. It used to be needed to use
	      MAC iterations counts but they are now used by default.  A  file
	      or  files	 containing random data used to seed the random number
	      generator, or an EGD socket. (See RAND_egd(3).)  Multiple	 files
	      can  be  specified  separated  by an OS-dependent character. The
	      separator is  a semicolon (;) for MS-Windows, a comma  (,)   for
	      OpenVMS, and a colon (:) for all others.

DESCRIPTION
       The  pkcs12  command allows PKCS#12 files (sometimes referred to as PFX
       files) to be created and parsed. PKCS#12 files are used by several pro‐
       grams including Netscape, MSIE and MS Outlook.

NOTES
       Although	 there	are  a	large  number of options most of them are very
       rarely used. For PKCS#12 file parsing only the  -in  and	 -out  options
       need  to	 be  used for PKCS#12 file creation. The -export and -name are
       also used.

       If none of the -clcerts, -cacerts or -nocerts options are present  then
       all  certificates  will be output in the order they appear in the input
       PKCS#12 files. There is no guarantee that the first certificate present
       is  the	one  corresponding  to the private key. Certain software which
       requires a private key and certificate and assumes the  first  certifi‐
       cate  in the file is the one corresponding to the private key: this may
       not always be the case. Using the -clcerts option will solve this prob‐
       lem by only outputing the certificate corresponding to the private key.
       If the CA certificates are required then they can be output to a	 sepa‐
       rate file using the -nokeysand -cacerts options.

       The  -keypbe and -certpbe algorithms allow the precise encryption algo‐
       rithms for private keys and certificates to be specified. Normally  the
       defaults	 are  fine, but occasionally software cannot handle triple DES
       encrypted private keys.	In  that  case,	 the  -keypbe  PBE-SHA1-RC2-40
       option  can be used to reduce the private key encryption to 40 bit RC2.
       A  complete  description	 of  all  algorithms  is  contained   in   the
       pkcs8(1ssl)reference page.

RESTRICTIONS
       Versions	 of OpenSSL before 0.9.6a had a bug in the PKCS#12 key genera‐
       tion routines. Under rare circumstances this could  produce  a  PKCS#12
       file  encrypted	with  an  invalid  key. As a result some PKCS#12 files
       which triggered this bug from other implementations (MSIE or  Netscape)
       could  not  be decrypted by OpenSSL and similarly OpenSSL could produce
       PKCS#12 files which could not be decrypted  by  other  implementations.
       The  chances of producing such a file are relatively small -- less than
       1 in 256.

       A side effect of fixing this bug is that any  old  invalidly  encrypted
       PKCS#12	files can no longer be parsed by the fixed version. Under such
       circumstances the pkcs12 utility will report that the  MAC  is  OK  but
       fail with a decryption error when extracting private keys.

       This  problem  can  be resolved by extracting the private keys and cer‐
       tificates from the PKCS#12 file using an older version of  OpenSSL  and
       recreating  the	PKCS#12	 file  from  the keys and certificates using a
       newer version of OpenSSL.  For example: old-openssl  -in	 bad.p12  -out
       keycerts.pem
	openssl	  -in  keycerts.pem  -export  -name  "My  PKCS#12  file"  -out
       fixed.p12

EXAMPLES
       Parse a PKCS#12 file and output it to a file:
	openssl pkcs12 -in file.p12 -out file.pem

       Output only client certificates to a file:
	openssl pkcs12 -in file.p12 -clcerts -out file.pem

       Don't encrypt  the  private  key:  openssl  pkcs12  -in	file.p12  -out
       file.pem -nodes

       Print some information about a PKCS#12 file:
	openssl pkcs12 -in file.p12 -info -noout

       Create a PKCS#12 file:
	openssl	 pkcs12	 -export -in file.pem -out file.p12 -name "My Certifi‐
       cate"

       Include some extra certificates:
	openssl pkcs12 -export -in file.pem -out file.p12 -name	 "My  Certifi‐
       cate" \
	 -certfile othercerts.pem

SEE ALSO
       Commands: pkcs8(1ssl)

								  pkcs12(1ssl)
[top]

List of man pages available for DigitalUNIX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net