X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=doc%2Fapps%2Fpkcs12.pod;h=811b8222be94e7433af808503e67aceefbfc65a3;hb=8ab31975bacb9c907261088937d3aa4102e3af84;hp=8e0d91798ac437258ba14b378f745f6b44f8c678;hpb=2b4ffc659eabec29f76821f0ac624a2b8c19e4c7;p=openssl.git diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod index 8e0d91798a..811b8222be 100644 --- a/doc/apps/pkcs12.pod +++ b/doc/apps/pkcs12.pod @@ -39,6 +39,8 @@ B B [B<-rand file(s)>] [B<-CAfile file>] [B<-CApath dir>] +[B<-no-CAfile>] +[B<-no-CApath>] [B<-CSP name>] =head1 DESCRIPTION @@ -71,13 +73,13 @@ default. They are all written in PEM format. the PKCS#12 file (i.e. input file) password source. For more information about the format of B see the B section in -L. +L. =item B<-passout arg> pass phrase source to encrypt any outputted private keys with. For more information about the format of B see the B section -in L. +in L. =item B<-password arg> @@ -192,13 +194,13 @@ displays them. the PKCS#12 file (i.e. output file) password source. For more information about the format of B see the B section in -L. +L. =item B<-passin password> pass phrase source to decrypt any input private keys with. For more information about the format of B see the B section in -L. +L. =item B<-chain> @@ -216,7 +218,7 @@ key is encrypted using triple DES and the certificate using 40 bit RC2. these options allow the algorithm used to encrypt the private key and certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name -can be used (see B section for more information). If a a cipher name +can be used (see B section for more information). If a cipher name (as output by the B command is specified then it is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only use PKCS#12 algorithms. @@ -266,7 +268,7 @@ don't attempt to provide the MAC integrity. =item B<-rand file(s)> a file or files containing random data used to seed the random number -generator, or an EGD socket (see L). +generator, or an EGD socket (see L). Multiple files can be specified separated by a OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for all others. @@ -281,6 +283,14 @@ CA storage as a directory. This directory must be a standard certificate directory: that is a hash of each subject name (using B) should be linked to each certificate. +=item B<-no-CAfile> + +Do not load the trusted CA certificates from the default file location + +=item B<-no-CApath> + +Do not load the trusted CA certificates from the default directory location + =item B<-CSP name> write B as a Microsoft CSP name. @@ -338,31 +348,7 @@ Include some extra certificates: openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \ -certfile othercerts.pem -=head1 BUGS - -Some would argue that the PKCS#12 standard is one big bug :-) - -Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation -routines. Under rare circumstances this could produce a PKCS#12 file encrypted -with an invalid key. As a result some PKCS#12 files which triggered this bug -from other implementations (MSIE or Netscape) could not be decrypted -by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could -not be decrypted by other implementations. The chances of producing such -a file are relatively small: less than 1 in 256. - -A side effect of fixing this bug is that any old invalidly encrypted PKCS#12 -files cannot no longer be parsed by the fixed version. Under such circumstances -the B utility will report that the MAC is OK but fail with a decryption -error when extracting private keys. - -This problem can be resolved by extracting the private keys and certificates -from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12 -file from the keys and certificates using a newer version of OpenSSL. For example: - - old-openssl -in bad.p12 -out keycerts.pem - openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12 - =head1 SEE ALSO -L +L