[B<-maciter>]
[B<-nomac>]
-=for openssl ifdef engine
-
=head1 DESCRIPTION
This command allows PKCS#12 files (sometimes referred to as
and many further options such as B<-chain> are relevant only with B<-export>.
Conversely, the options regarding encryption of private keys when outputting
PKCS#12 input are relevant only when the B<-export> option is not given.
+
The default encryption algorithm is AES-256-CBC with PBKDF2 for key derivation.
+When encountering problems loading legacy PKCS#12 files that involve,
+for example, RC2-40-CBC,
+try using the B<-legacy> option and, if needed, the B<-provider-path> option.
+
=over 4
=item B<-help>
=item B<-legacy>
Use legacy mode of operation and automatically load the legacy provider.
+If OpenSSL is not installed system-wide,
+it is necessary to also use, for example, C<-provider-path ./providers>
+or to set the environment variable B<OPENSSL_MODULES>
+to point to the directory where the providers can be found.
+
In the legacy mode, the default algorithm for certificate encryption
is RC2_CBC or 3DES_CBC depending on whether the RC2 cipher is enabled
in the build. The default algorithm for private key encryption is 3DES_CBC.
=item B<-macalg> I<digest>
-Specify the MAC digest algorithm. If not included them SHA1 will be used.
+Specify the MAC digest algorithm. If not included SHA1 will be used.
=item B<-iter> I<count>
=item B<-nomac>
-Don't attempt to provide the MAC integrity.
+Do not attempt to provide the MAC integrity. This can be useful with the FIPS
+provider as the PKCS12 MAC requires PKCS12KDF which is not an approved FIPS
+algorithm and cannot be supported by the FIPS provider.
=back