2
0

pkcs12.pod 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392
  1. =pod
  2. =head1 NAME
  3. openssl-pkcs12,
  4. pkcs12 - PKCS#12 file utility
  5. =head1 SYNOPSIS
  6. B<openssl> B<pkcs12>
  7. [B<-help>]
  8. [B<-export>]
  9. [B<-chain>]
  10. [B<-inkey file_or_id>]
  11. [B<-certfile filename>]
  12. [B<-name name>]
  13. [B<-caname name>]
  14. [B<-in filename>]
  15. [B<-out filename>]
  16. [B<-noout>]
  17. [B<-nomacver>]
  18. [B<-nocerts>]
  19. [B<-clcerts>]
  20. [B<-cacerts>]
  21. [B<-nokeys>]
  22. [B<-info>]
  23. [B<-des | -des3 | -idea | -aes128 | -aes192 | -aes256 | -aria128 | -aria192 | -aria256 | -camellia128 | -camellia192 | -camellia256 | -nodes>]
  24. [B<-noiter>]
  25. [B<-maciter | -nomaciter | -nomac>]
  26. [B<-twopass>]
  27. [B<-descert>]
  28. [B<-certpbe cipher>]
  29. [B<-keypbe cipher>]
  30. [B<-macalg digest>]
  31. [B<-keyex>]
  32. [B<-keysig>]
  33. [B<-password arg>]
  34. [B<-passin arg>]
  35. [B<-passout arg>]
  36. [B<-rand file...>]
  37. [B<-writerand file>]
  38. [B<-CAfile file>]
  39. [B<-CApath dir>]
  40. [B<-no-CAfile>]
  41. [B<-no-CApath>]
  42. [B<-CSP name>]
  43. =head1 DESCRIPTION
  44. The B<pkcs12> command allows PKCS#12 files (sometimes referred to as
  45. PFX files) to be created and parsed. PKCS#12 files are used by several
  46. programs including Netscape, MSIE and MS Outlook.
  47. =head1 OPTIONS
  48. There are a lot of options the meaning of some depends of whether a PKCS#12 file
  49. is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12
  50. file can be created by using the B<-export> option (see below).
  51. =head1 PARSING OPTIONS
  52. =over 4
  53. =item B<-help>
  54. Print out a usage message.
  55. =item B<-in filename>
  56. This specifies filename of the PKCS#12 file to be parsed. Standard input is used
  57. by default.
  58. =item B<-out filename>
  59. The filename to write certificates and private keys to, standard output by
  60. default. They are all written in PEM format.
  61. =item B<-passin arg>
  62. The PKCS#12 file (i.e. input file) password source. For more information about
  63. the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
  64. L<openssl(1)>.
  65. =item B<-passout arg>
  66. Pass phrase source to encrypt any outputted private keys with. For more
  67. information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
  68. in L<openssl(1)>.
  69. =item B<-password arg>
  70. With -export, -password is equivalent to -passout.
  71. Otherwise, -password is equivalent to -passin.
  72. =item B<-noout>
  73. This option inhibits output of the keys and certificates to the output file
  74. version of the PKCS#12 file.
  75. =item B<-clcerts>
  76. Only output client certificates (not CA certificates).
  77. =item B<-cacerts>
  78. Only output CA certificates (not client certificates).
  79. =item B<-nocerts>
  80. No certificates at all will be output.
  81. =item B<-nokeys>
  82. No private keys will be output.
  83. =item B<-info>
  84. Output additional information about the PKCS#12 file structure, algorithms
  85. used and iteration counts.
  86. =item B<-des>
  87. Use DES to encrypt private keys before outputting.
  88. =item B<-des3>
  89. Use triple DES to encrypt private keys before outputting, this is the default.
  90. =item B<-idea>
  91. Use IDEA to encrypt private keys before outputting.
  92. =item B<-aes128>, B<-aes192>, B<-aes256>
  93. Use AES to encrypt private keys before outputting.
  94. =item B<-aria128>, B<-aria192>, B<-aria256>
  95. Use ARIA to encrypt private keys before outputting.
  96. =item B<-camellia128>, B<-camellia192>, B<-camellia256>
  97. Use Camellia to encrypt private keys before outputting.
  98. =item B<-nodes>
  99. Don't encrypt the private keys at all.
  100. =item B<-nomacver>
  101. Don't attempt to verify the integrity MAC before reading the file.
  102. =item B<-twopass>
  103. Prompt for separate integrity and encryption passwords: most software
  104. always assumes these are the same so this option will render such
  105. PKCS#12 files unreadable. Cannot be used in combination with the options
  106. -password, -passin (if importing) or -passout (if exporting).
  107. =back
  108. =head1 FILE CREATION OPTIONS
  109. =over 4
  110. =item B<-export>
  111. This option specifies that a PKCS#12 file will be created rather than
  112. parsed.
  113. =item B<-out filename>
  114. This specifies filename to write the PKCS#12 file to. Standard output is used
  115. by default.
  116. =item B<-in filename>
  117. The filename to read certificates and private keys from, standard input by
  118. default. They must all be in PEM format. The order doesn't matter but one
  119. private key and its corresponding certificate should be present. If additional
  120. certificates are present they will also be included in the PKCS#12 file.
  121. =item B<-inkey file_or_id>
  122. File to read private key from. If not present then a private key must be present
  123. in the input file.
  124. If no engine is used, the argument is taken as a file; if an engine is
  125. specified, the argument is given to the engine as a key identifier.
  126. =item B<-name friendlyname>
  127. This specifies the "friendly name" for the certificate and private key. This
  128. name is typically displayed in list boxes by software importing the file.
  129. =item B<-certfile filename>
  130. A filename to read additional certificates from.
  131. =item B<-caname friendlyname>
  132. This specifies the "friendly name" for other certificates. This option may be
  133. used multiple times to specify names for all certificates in the order they
  134. appear. Netscape ignores friendly names on other certificates whereas MSIE
  135. displays them.
  136. =item B<-pass arg>, B<-passout arg>
  137. The PKCS#12 file (i.e. output file) password source. For more information about
  138. the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
  139. L<openssl(1)>.
  140. =item B<-passin password>
  141. Pass phrase source to decrypt any input private keys with. For more information
  142. about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
  143. L<openssl(1)>.
  144. =item B<-chain>
  145. If this option is present then an attempt is made to include the entire
  146. certificate chain of the user certificate. The standard CA store is used
  147. for this search. If the search fails it is considered a fatal error.
  148. =item B<-descert>
  149. Encrypt the certificate using triple DES, this may render the PKCS#12
  150. file unreadable by some "export grade" software. By default the private
  151. key is encrypted using triple DES and the certificate using 40 bit RC2.
  152. =item B<-keypbe alg>, B<-certpbe alg>
  153. These options allow the algorithm used to encrypt the private key and
  154. certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name
  155. can be used (see B<NOTES> section for more information). If a cipher name
  156. (as output by the B<list-cipher-algorithms> command is specified then it
  157. is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
  158. use PKCS#12 algorithms.
  159. =item B<-keyex|-keysig>
  160. Specifies that the private key is to be used for key exchange or just signing.
  161. This option is only interpreted by MSIE and similar MS software. Normally
  162. "export grade" software will only allow 512 bit RSA keys to be used for
  163. encryption purposes but arbitrary length keys for signing. The B<-keysig>
  164. option marks the key for signing only. Signing only keys can be used for
  165. S/MIME signing, authenticode (ActiveX control signing) and SSL client
  166. authentication, however due to a bug only MSIE 5.0 and later support
  167. the use of signing only keys for SSL client authentication.
  168. =item B<-macalg digest>
  169. Specify the MAC digest algorithm. If not included them SHA1 will be used.
  170. =item B<-nomaciter>, B<-noiter>
  171. These options affect the iteration counts on the MAC and key algorithms.
  172. Unless you wish to produce files compatible with MSIE 4.0 you should leave
  173. these options alone.
  174. To discourage attacks by using large dictionaries of common passwords the
  175. algorithm that derives keys from passwords can have an iteration count applied
  176. to it: this causes a certain part of the algorithm to be repeated and slows it
  177. down. The MAC is used to check the file integrity but since it will normally
  178. have the same password as the keys and certificates it could also be attacked.
  179. By default both MAC and encryption iteration counts are set to 2048, using
  180. these options the MAC and encryption iteration counts can be set to 1, since
  181. this reduces the file security you should not use these options unless you
  182. really have to. Most software supports both MAC and key iteration counts.
  183. MSIE 4.0 doesn't support MAC iteration counts so it needs the B<-nomaciter>
  184. option.
  185. =item B<-maciter>
  186. This option is included for compatibility with previous versions, it used
  187. to be needed to use MAC iterations counts but they are now used by default.
  188. =item B<-nomac>
  189. Don't attempt to provide the MAC integrity.
  190. =item B<-rand file...>
  191. A file or files containing random data used to seed the random number
  192. generator.
  193. Multiple files can be specified separated by an OS-dependent character.
  194. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
  195. all others.
  196. =item [B<-writerand file>]
  197. Writes random data to the specified I<file> upon exit.
  198. This can be used with a subsequent B<-rand> flag.
  199. =item B<-CAfile file>
  200. CA storage as a file.
  201. =item B<-CApath dir>
  202. CA storage as a directory. This directory must be a standard certificate
  203. directory: that is a hash of each subject name (using B<x509 -hash>) should be
  204. linked to each certificate.
  205. =item B<-no-CAfile>
  206. Do not load the trusted CA certificates from the default file location.
  207. =item B<-no-CApath>
  208. Do not load the trusted CA certificates from the default directory location.
  209. =item B<-CSP name>
  210. Write B<name> as a Microsoft CSP name.
  211. =back
  212. =head1 NOTES
  213. Although there are a large number of options most of them are very rarely
  214. used. For PKCS#12 file parsing only B<-in> and B<-out> need to be used
  215. for PKCS#12 file creation B<-export> and B<-name> are also used.
  216. If none of the B<-clcerts>, B<-cacerts> or B<-nocerts> options are present
  217. then all certificates will be output in the order they appear in the input
  218. PKCS#12 files. There is no guarantee that the first certificate present is
  219. the one corresponding to the private key. Certain software which requires
  220. a private key and certificate and assumes the first certificate in the
  221. file is the one corresponding to the private key: this may not always
  222. be the case. Using the B<-clcerts> option will solve this problem by only
  223. outputting the certificate corresponding to the private key. If the CA
  224. certificates are required then they can be output to a separate file using
  225. the B<-nokeys -cacerts> options to just output CA certificates.
  226. The B<-keypbe> and B<-certpbe> algorithms allow the precise encryption
  227. algorithms for private keys and certificates to be specified. Normally
  228. the defaults are fine but occasionally software can't handle triple DES
  229. encrypted private keys, then the option B<-keypbe PBE-SHA1-RC2-40> can
  230. be used to reduce the private key encryption to 40 bit RC2. A complete
  231. description of all algorithms is contained in the B<pkcs8> manual page.
  232. Prior 1.1 release passwords containing non-ASCII characters were encoded
  233. in non-compliant manner, which limited interoperability, in first hand
  234. with Windows. But switching to standard-compliant password encoding
  235. poses problem accessing old data protected with broken encoding. For
  236. this reason even legacy encodings is attempted when reading the
  237. data. If you use PKCS#12 files in production application you are advised
  238. to convert the data, because implemented heuristic approach is not
  239. MT-safe, its sole goal is to facilitate the data upgrade with this
  240. utility.
  241. =head1 EXAMPLES
  242. Parse a PKCS#12 file and output it to a file:
  243. openssl pkcs12 -in file.p12 -out file.pem
  244. Output only client certificates to a file:
  245. openssl pkcs12 -in file.p12 -clcerts -out file.pem
  246. Don't encrypt the private key:
  247. openssl pkcs12 -in file.p12 -out file.pem -nodes
  248. Print some info about a PKCS#12 file:
  249. openssl pkcs12 -in file.p12 -info -noout
  250. Create a PKCS#12 file:
  251. openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate"
  252. Include some extra certificates:
  253. openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \
  254. -certfile othercerts.pem
  255. =head1 SEE ALSO
  256. L<pkcs8(1)>
  257. =head1 COPYRIGHT
  258. Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
  259. Licensed under the Apache License 2.0 (the "License"). You may not use
  260. this file except in compliance with the License. You can obtain a copy
  261. in the file LICENSE in the source distribution or at
  262. L<https://www.openssl.org/source/license.html>.
  263. =cut