Table of Contents for
Network Security with OpenSSL

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Network Security with OpenSSL by Pravir Chandra Published by O'Reilly Media, Inc., 2002
  1. Cover
  2. Network Security with OpenSSL
  3. Network Security with OpenSSL
  4. Dedication
  5. A Note Regarding Supplemental Files
  6. Preface
  7. 1. Introduction
  8. 2. Command-Line Interface
  9. 3. Public Key Infrastructure (PKI)
  10. 4. Support Infrastructure
  11. 5. SSL/TLS Programming
  12. 6. Symmetric Cryptography
  13. 7. Hashes and MACs
  14. 8. Public Key Algorithms
  15. 9. OpenSSL in Other Languages
  16. 10. Advanced Programming Topics
  17. A. Command-Line Reference
  18. asn1parse
  19. ca
  20. ciphers
  21. crl
  22. crl2pkcs7
  23. dgst
  24. dhparam
  25. dsa
  26. dsaparam
  27. enc
  28. errstr
  29. gendsa
  30. genrsa
  31. nseq
  32. passwd
  33. pkcs7
  34. pkcs8
  35. pkcs12
  36. rand
  37. req
  38. rsa
  39. rsautl
  40. s_client
  41. s_server
  42. s_time
  43. sess_id
  44. smime
  45. speed
  46. spkac
  47. verify
  48. version
  49. x509
  50. Index
  51. About the Authors
  52. Colophon
  53. Copyright

Name

pkcs12

Synopsis

The pkcs12 command is used to create, examine, and manipulate PKCS#12-formatted files.

Options

-in filename

Specify the name of a file from which a PKCS#12 structure in PEM format will be read. If this option is omitted, stdin will be used.

-out filename

Specify the name of a file that will be used to write a PKCS#12 structure in PEM format. If this option is omitted, stdout will be used.

-password password, -passin password

Specify the password or passphrase that is required to decrypt the input PKCS#12 structure. This option follows the guidelines for passwords and passphrases outlined in Chapter 2.

-passout password

Specify the password or passphrase that will be used to encrypt the output PKCS#12 structure. This option follows the guidelines for passwords and passphrases outlined in Chapter 2.

-des, -des3, -idea

Specify the cipher that will be used to encrypt the output PKCS#12 structure. If this option is omitted, the default is to use 3DES.

-nodes

Cause the output PKCS#12 structure to be unencrypted.

-noout

Cause the output of a PKCS#12 structure to be suppressed. This option is useful when extracting the various structures that are contained by a PKCS#12 structure.

-clcerts

Cause only the client certificates contained in the input PKCS#12 structure to be output.

-cacerts

Cause only the CA certificates contained in the input PKCS#12 structure to be output.

-nocerts

Suppress the output of any certificates, whether they are client or CA certificates.

-nokeys

Suppress the output of any private keys.

-info

Cause a human-readable form of the PKCS#12 structure to be output, which includes information such as the algorithms used.

-nomacver

Inhibit the verification of the PKCS#12 structure’s MAC integrity when reading it in.

-twopass

Cause separate prompts for the integrity and encryption passwords. Normally, these two passwords are the same, and most software using PKCS#12 structures expect them to be, so this option may render PKCS#12 structures that are created unreadable by some software. Use of this option is not recommended.

-export

Cause a PKCS#12 object to be created instead of examined or manipulated. When this option is specified, no PKCS#12 object is read as input. Instead, the input data is expected to be a combination of private keys and certificates. At least one certificate and matching private key must be present in the input data.

-inkey filename

Specify the name of a file from which a private key will be read. If this option is specified, the input data read from either stdin or the file specified with the in option is not required to contain a key.

-certfile filename

Specify the name of a file containing additional certificates that will be included in the output PKCS#12 structure.

-CAfile filename

Specify the name of a file containing additional certificates that will be included in the output PKCS#12 structure.

-CApath directory

Specify the name of a directory containing certificates that will be included in the output PKCS#12 structure. The files in the directory are expected to be named by each certificate issuer’s hash and an extension of “.0”.

-name name

Specify the “friendly name” for the primary certificate and private key contained in the PKCS#12 structure. This “friendly name” is ordinarily used for display purposes in programs that use the PKCS#12 structure.

-caname name

Specify the “friendly name” for any extra certificates contained in the PKCS#12 structure. This option may be specified once for each additional certificate that will be contained in the PKCS#12 structure. The names should be specified in the order that certificates are included. It should be noted that not all software uses these names. Some use only the primary certificate’s “friendly name.”

-chain

Cause the entire certificate chain of the primary certificate to be included in the output PKCS#12 structure. If this option is not specified, the CAfile and CApath options are ignored. If not all of the certificates in the chain are available, it is considered a fatal error, and no PKCS#12 structure will result.

-descert

Cause the primary certificate to be encrypted using 3DES instead of 40-bit RC2, which is the default. Note that some old export grade software will not be able to read the PKCS#12 structure if the certificate is this strongly encrypted.

-keypbe algorithm

Specify the algorithm to use to encrypt the private key. Any PKCS#5 v1.5 or PKCS#12 algorithm is valid, but we recommend that you use only PKCS#12 algorithms. The pkcs8 command reference lists the algorithms that may be used.

-certpbe algorithm

Specify the algorithm to use to encrypt the primary certificate. Any PKCS#5 v1.5 or PKCS#12 algorithm is valid, but we recommend that you use only PKCS#12 algorithms. The pkcs8 command reference lists the algorithms that may be used.

-keyex

Mark the private key to be usable for exchange purposes only. By default, the key may be used for either exchange or signing. This option is mutually exclusive with the keysig option.

-keysig

Mark the private key to be usable for signing purposes only. By default, the key may be used for exchange or signing. This option is mutually exclusive with the keyex option.

-noiter, -nomaciter

Cause the MAC and key algorithms not to use iteration counts.

-maciter

This option is normally enabled by default, but is present for backwards compatibility. It causes the MAC and key algorithms to use iteration counts, thus strengthening the protection on the PKCS#12 structure.

-rand filename

Specify the name of a file or files to be used to seed the PRNG. This parameter for this option follows the guidelines outlined in Chapter 2.