OLD | NEW |
1 | 1 |
2 =pod | 2 =pod |
3 | 3 |
4 =head1 NAME | 4 =head1 NAME |
5 | 5 |
6 pkcs12 - PKCS#12 file utility | 6 pkcs12 - PKCS#12 file utility |
7 | 7 |
8 =head1 SYNOPSIS | 8 =head1 SYNOPSIS |
9 | 9 |
10 B<openssl> B<pkcs12> | 10 B<openssl> B<pkcs12> |
11 [B<-export>] | 11 [B<-export>] |
12 [B<-chain>] | 12 [B<-chain>] |
13 [B<-inkey filename>] | 13 [B<-inkey filename>] |
14 [B<-certfile filename>] | 14 [B<-certfile filename>] |
15 [B<-name name>] | 15 [B<-name name>] |
16 [B<-caname name>] | 16 [B<-caname name>] |
17 [B<-in filename>] | 17 [B<-in filename>] |
18 [B<-out filename>] | 18 [B<-out filename>] |
19 [B<-noout>] | 19 [B<-noout>] |
20 [B<-nomacver>] | 20 [B<-nomacver>] |
21 [B<-nocerts>] | 21 [B<-nocerts>] |
22 [B<-clcerts>] | 22 [B<-clcerts>] |
23 [B<-cacerts>] | 23 [B<-cacerts>] |
24 [B<-nokeys>] | 24 [B<-nokeys>] |
25 [B<-info>] | 25 [B<-info>] |
26 [B<-des>] | 26 [B<-des | -des3 | -idea | -aes128 | -aes192 | -aes256 | -camellia128 | -camellia
192 | -camellia256 | -nodes>] |
27 [B<-des3>] | |
28 [B<-idea>] | |
29 [B<-nodes>] | |
30 [B<-noiter>] | 27 [B<-noiter>] |
31 [B<-maciter>] | 28 [B<-maciter | -nomaciter | -nomac>] |
32 [B<-twopass>] | 29 [B<-twopass>] |
33 [B<-descert>] | 30 [B<-descert>] |
34 [B<-certpbe>] | 31 [B<-certpbe cipher>] |
35 [B<-keypbe>] | 32 [B<-keypbe cipher>] |
| 33 [B<-macalg digest>] |
36 [B<-keyex>] | 34 [B<-keyex>] |
37 [B<-keysig>] | 35 [B<-keysig>] |
38 [B<-password arg>] | 36 [B<-password arg>] |
39 [B<-passin arg>] | 37 [B<-passin arg>] |
40 [B<-passout arg>] | 38 [B<-passout arg>] |
41 [B<-rand file(s)>] | 39 [B<-rand file(s)>] |
| 40 [B<-CAfile file>] |
| 41 [B<-CApath dir>] |
| 42 [B<-CSP name>] |
42 | 43 |
43 =head1 DESCRIPTION | 44 =head1 DESCRIPTION |
44 | 45 |
45 The B<pkcs12> command allows PKCS#12 files (sometimes referred to as | 46 The B<pkcs12> command allows PKCS#12 files (sometimes referred to as |
46 PFX files) to be created and parsed. PKCS#12 files are used by several | 47 PFX files) to be created and parsed. PKCS#12 files are used by several |
47 programs including Netscape, MSIE and MS Outlook. | 48 programs including Netscape, MSIE and MS Outlook. |
48 | 49 |
49 =head1 COMMAND OPTIONS | 50 =head1 COMMAND OPTIONS |
50 | 51 |
51 There are a lot of options the meaning of some depends of whether a PKCS#12 file | 52 There are a lot of options the meaning of some depends of whether a PKCS#12 file |
52 is being created or parsed. By default a PKCS#12 file is parsed a PKCS#12 | 53 is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12 |
53 file can be created by using the B<-export> option (see below). | 54 file can be created by using the B<-export> option (see below). |
54 | 55 |
55 =head1 PARSING OPTIONS | 56 =head1 PARSING OPTIONS |
56 | 57 |
57 =over 4 | 58 =over 4 |
58 | 59 |
59 =item B<-in filename> | 60 =item B<-in filename> |
60 | 61 |
61 This specifies filename of the PKCS#12 file to be parsed. Standard input is used | 62 This specifies filename of the PKCS#12 file to be parsed. Standard input is used |
62 by default. | 63 by default. |
63 | 64 |
64 =item B<-out filename> | 65 =item B<-out filename> |
65 | 66 |
66 The filename to write certificates and private keys to, standard output by defau
lt. | 67 The filename to write certificates and private keys to, standard output by |
67 They are all written in PEM format. | 68 default. They are all written in PEM format. |
68 | 69 |
69 =item B<-pass arg>, B<-passin arg> | 70 =item B<-pass arg>, B<-passin arg> |
70 | 71 |
71 the PKCS#12 file (i.e. input file) password source. For more information about t
he | 72 the PKCS#12 file (i.e. input file) password source. For more information about |
72 format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in | 73 the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in |
73 L<openssl(1)|openssl(1)>. | 74 L<openssl(1)|openssl(1)>. |
74 | 75 |
75 =item B<-passout arg> | 76 =item B<-passout arg> |
76 | 77 |
77 pass phrase source to encrypt any outputed private keys with. For more informati
on | 78 pass phrase source to encrypt any outputed private keys with. For more |
78 about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in | 79 information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section |
79 L<openssl(1)|openssl(1)>. | 80 in L<openssl(1)|openssl(1)>. |
80 | 81 |
81 =item B<-noout> | 82 =item B<-noout> |
82 | 83 |
83 this option inhibits output of the keys and certificates to the output file vers
ion | 84 this option inhibits output of the keys and certificates to the output file |
84 of the PKCS#12 file. | 85 version of the PKCS#12 file. |
85 | 86 |
86 =item B<-clcerts> | 87 =item B<-clcerts> |
87 | 88 |
88 only output client certificates (not CA certificates). | 89 only output client certificates (not CA certificates). |
89 | 90 |
90 =item B<-cacerts> | 91 =item B<-cacerts> |
91 | 92 |
92 only output CA certificates (not client certificates). | 93 only output CA certificates (not client certificates). |
93 | 94 |
94 =item B<-nocerts> | 95 =item B<-nocerts> |
(...skipping 14 matching lines...) Expand all Loading... |
109 use DES to encrypt private keys before outputting. | 110 use DES to encrypt private keys before outputting. |
110 | 111 |
111 =item B<-des3> | 112 =item B<-des3> |
112 | 113 |
113 use triple DES to encrypt private keys before outputting, this is the default. | 114 use triple DES to encrypt private keys before outputting, this is the default. |
114 | 115 |
115 =item B<-idea> | 116 =item B<-idea> |
116 | 117 |
117 use IDEA to encrypt private keys before outputting. | 118 use IDEA to encrypt private keys before outputting. |
118 | 119 |
| 120 =item B<-aes128>, B<-aes192>, B<-aes256> |
| 121 |
| 122 use AES to encrypt private keys before outputting. |
| 123 |
| 124 =item B<-camellia128>, B<-camellia192>, B<-camellia256> |
| 125 |
| 126 use Camellia to encrypt private keys before outputting. |
| 127 |
119 =item B<-nodes> | 128 =item B<-nodes> |
120 | 129 |
121 don't encrypt the private keys at all. | 130 don't encrypt the private keys at all. |
122 | 131 |
123 =item B<-nomacver> | 132 =item B<-nomacver> |
124 | 133 |
125 don't attempt to verify the integrity MAC before reading the file. | 134 don't attempt to verify the integrity MAC before reading the file. |
126 | 135 |
127 =item B<-twopass> | 136 =item B<-twopass> |
128 | 137 |
(...skipping 12 matching lines...) Expand all Loading... |
141 This option specifies that a PKCS#12 file will be created rather than | 150 This option specifies that a PKCS#12 file will be created rather than |
142 parsed. | 151 parsed. |
143 | 152 |
144 =item B<-out filename> | 153 =item B<-out filename> |
145 | 154 |
146 This specifies filename to write the PKCS#12 file to. Standard output is used | 155 This specifies filename to write the PKCS#12 file to. Standard output is used |
147 by default. | 156 by default. |
148 | 157 |
149 =item B<-in filename> | 158 =item B<-in filename> |
150 | 159 |
151 The filename to read certificates and private keys from, standard input by defau
lt. | 160 The filename to read certificates and private keys from, standard input by |
152 They must all be in PEM format. The order doesn't matter but one private key and | 161 default. They must all be in PEM format. The order doesn't matter but one |
153 its corresponding certificate should be present. If additional certificates are | 162 private key and its corresponding certificate should be present. If additional |
154 present they will also be included in the PKCS#12 file. | 163 certificates are present they will also be included in the PKCS#12 file. |
155 | 164 |
156 =item B<-inkey filename> | 165 =item B<-inkey filename> |
157 | 166 |
158 file to read private key from. If not present then a private key must be present | 167 file to read private key from. If not present then a private key must be present |
159 in the input file. | 168 in the input file. |
160 | 169 |
161 =item B<-name friendlyname> | 170 =item B<-name friendlyname> |
162 | 171 |
163 This specifies the "friendly name" for the certificate and private key. This nam
e | 172 This specifies the "friendly name" for the certificate and private key. This |
164 is typically displayed in list boxes by software importing the file. | 173 name is typically displayed in list boxes by software importing the file. |
165 | 174 |
166 =item B<-certfile filename> | 175 =item B<-certfile filename> |
167 | 176 |
168 A filename to read additional certificates from. | 177 A filename to read additional certificates from. |
169 | 178 |
170 =item B<-caname friendlyname> | 179 =item B<-caname friendlyname> |
171 | 180 |
172 This specifies the "friendly name" for other certificates. This option may be | 181 This specifies the "friendly name" for other certificates. This option may be |
173 used multiple times to specify names for all certificates in the order they | 182 used multiple times to specify names for all certificates in the order they |
174 appear. Netscape ignores friendly names on other certificates whereas MSIE | 183 appear. Netscape ignores friendly names on other certificates whereas MSIE |
(...skipping 19 matching lines...) Expand all Loading... |
194 | 203 |
195 =item B<-descert> | 204 =item B<-descert> |
196 | 205 |
197 encrypt the certificate using triple DES, this may render the PKCS#12 | 206 encrypt the certificate using triple DES, this may render the PKCS#12 |
198 file unreadable by some "export grade" software. By default the private | 207 file unreadable by some "export grade" software. By default the private |
199 key is encrypted using triple DES and the certificate using 40 bit RC2. | 208 key is encrypted using triple DES and the certificate using 40 bit RC2. |
200 | 209 |
201 =item B<-keypbe alg>, B<-certpbe alg> | 210 =item B<-keypbe alg>, B<-certpbe alg> |
202 | 211 |
203 these options allow the algorithm used to encrypt the private key and | 212 these options allow the algorithm used to encrypt the private key and |
204 certificates to be selected. Although any PKCS#5 v1.5 or PKCS#12 algorithms | 213 certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name |
205 can be selected it is advisable only to use PKCS#12 algorithms. See the list | 214 can be used (see B<NOTES> section for more information). If a a cipher name |
206 in the B<NOTES> section for more information. | 215 (as output by the B<list-cipher-algorithms> command is specified then it |
| 216 is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only |
| 217 use PKCS#12 algorithms. |
207 | 218 |
208 =item B<-keyex|-keysig> | 219 =item B<-keyex|-keysig> |
209 | 220 |
210 specifies that the private key is to be used for key exchange or just signing. | 221 specifies that the private key is to be used for key exchange or just signing. |
211 This option is only interpreted by MSIE and similar MS software. Normally | 222 This option is only interpreted by MSIE and similar MS software. Normally |
212 "export grade" software will only allow 512 bit RSA keys to be used for | 223 "export grade" software will only allow 512 bit RSA keys to be used for |
213 encryption purposes but arbitrary length keys for signing. The B<-keysig> | 224 encryption purposes but arbitrary length keys for signing. The B<-keysig> |
214 option marks the key for signing only. Signing only keys can be used for | 225 option marks the key for signing only. Signing only keys can be used for |
215 S/MIME signing, authenticode (ActiveX control signing) and SSL client | 226 S/MIME signing, authenticode (ActiveX control signing) and SSL client |
216 authentication, however due to a bug only MSIE 5.0 and later support | 227 authentication, however due to a bug only MSIE 5.0 and later support |
217 the use of signing only keys for SSL client authentication. | 228 the use of signing only keys for SSL client authentication. |
218 | 229 |
| 230 =item B<-macalg digest> |
| 231 |
| 232 specify the MAC digest algorithm. If not included them SHA1 will be used. |
| 233 |
219 =item B<-nomaciter>, B<-noiter> | 234 =item B<-nomaciter>, B<-noiter> |
220 | 235 |
221 these options affect the iteration counts on the MAC and key algorithms. | 236 these options affect the iteration counts on the MAC and key algorithms. |
222 Unless you wish to produce files compatible with MSIE 4.0 you should leave | 237 Unless you wish to produce files compatible with MSIE 4.0 you should leave |
223 these options alone. | 238 these options alone. |
224 | 239 |
225 To discourage attacks by using large dictionaries of common passwords the | 240 To discourage attacks by using large dictionaries of common passwords the |
226 algorithm that derives keys from passwords can have an iteration count applied | 241 algorithm that derives keys from passwords can have an iteration count applied |
227 to it: this causes a certain part of the algorithm to be repeated and slows it | 242 to it: this causes a certain part of the algorithm to be repeated and slows it |
228 down. The MAC is used to check the file integrity but since it will normally | 243 down. The MAC is used to check the file integrity but since it will normally |
229 have the same password as the keys and certificates it could also be attacked. | 244 have the same password as the keys and certificates it could also be attacked. |
230 By default both MAC and encryption iteration counts are set to 2048, using | 245 By default both MAC and encryption iteration counts are set to 2048, using |
231 these options the MAC and encryption iteration counts can be set to 1, since | 246 these options the MAC and encryption iteration counts can be set to 1, since |
232 this reduces the file security you should not use these options unless you | 247 this reduces the file security you should not use these options unless you |
233 really have to. Most software supports both MAC and key iteration counts. | 248 really have to. Most software supports both MAC and key iteration counts. |
234 MSIE 4.0 doesn't support MAC iteration counts so it needs the B<-nomaciter> | 249 MSIE 4.0 doesn't support MAC iteration counts so it needs the B<-nomaciter> |
235 option. | 250 option. |
236 | 251 |
237 =item B<-maciter> | 252 =item B<-maciter> |
238 | 253 |
239 This option is included for compatibility with previous versions, it used | 254 This option is included for compatibility with previous versions, it used |
240 to be needed to use MAC iterations counts but they are now used by default. | 255 to be needed to use MAC iterations counts but they are now used by default. |
241 | 256 |
| 257 =item B<-nomac> |
| 258 |
| 259 don't attempt to provide the MAC integrity. |
| 260 |
242 =item B<-rand file(s)> | 261 =item B<-rand file(s)> |
243 | 262 |
244 a file or files containing random data used to seed the random number | 263 a file or files containing random data used to seed the random number |
245 generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>). | 264 generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>). |
246 Multiple files can be specified separated by a OS-dependent character. | 265 Multiple files can be specified separated by a OS-dependent character. |
247 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for | 266 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for |
248 all others. | 267 all others. |
249 | 268 |
| 269 =item B<-CAfile file> |
| 270 |
| 271 CA storage as a file. |
| 272 |
| 273 =item B<-CApath dir> |
| 274 |
| 275 CA storage as a directory. This directory must be a standard certificate |
| 276 directory: that is a hash of each subject name (using B<x509 -hash>) should be |
| 277 linked to each certificate. |
| 278 |
| 279 =item B<-CSP name> |
| 280 |
| 281 write B<name> as a Microsoft CSP name. |
| 282 |
250 =back | 283 =back |
251 | 284 |
252 =head1 NOTES | 285 =head1 NOTES |
253 | 286 |
254 Although there are a large number of options most of them are very rarely | 287 Although there are a large number of options most of them are very rarely |
255 used. For PKCS#12 file parsing only B<-in> and B<-out> need to be used | 288 used. For PKCS#12 file parsing only B<-in> and B<-out> need to be used |
256 for PKCS#12 file creation B<-export> and B<-name> are also used. | 289 for PKCS#12 file creation B<-export> and B<-name> are also used. |
257 | 290 |
258 If none of the B<-clcerts>, B<-cacerts> or B<-nocerts> options are present | 291 If none of the B<-clcerts>, B<-cacerts> or B<-nocerts> options are present |
259 then all certificates will be output in the order they appear in the input | 292 then all certificates will be output in the order they appear in the input |
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
321 from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#
12 | 354 from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#
12 |
322 file from the keys and certificates using a newer version of OpenSSL. For exampl
e: | 355 file from the keys and certificates using a newer version of OpenSSL. For exampl
e: |
323 | 356 |
324 old-openssl -in bad.p12 -out keycerts.pem | 357 old-openssl -in bad.p12 -out keycerts.pem |
325 openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12 | 358 openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12 |
326 | 359 |
327 =head1 SEE ALSO | 360 =head1 SEE ALSO |
328 | 361 |
329 L<pkcs8(1)|pkcs8(1)> | 362 L<pkcs8(1)|pkcs8(1)> |
330 | 363 |
OLD | NEW |