X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=doc%2Fapps%2Fpkcs12.pod;h=811b8222be94e7433af808503e67aceefbfc65a3;hp=241f9c4a8b059d6b896768f58b2ac4a532143b43;hb=a528d4f0a9a71405f3ca06e20cbd27aa1b8c0df9;hpb=a4cfd178f919c6a26c6f1e922e95dc61460a5e36 diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod index 241f9c4a8b..811b8222be 100644 --- a/doc/apps/pkcs12.pod +++ b/doc/apps/pkcs12.pod @@ -23,22 +23,25 @@ B B [B<-cacerts>] [B<-nokeys>] [B<-info>] -[B<-des>] -[B<-des3>] -[B<-idea>] -[B<-nodes>] +[B<-des | -des3 | -idea | -aes128 | -aes192 | -aes256 | -camellia128 | -camellia192 | -camellia256 | -nodes>] [B<-noiter>] -[B<-maciter>] +[B<-maciter | -nomaciter | -nomac>] [B<-twopass>] [B<-descert>] -[B<-certpbe>] -[B<-keypbe>] +[B<-certpbe cipher>] +[B<-keypbe cipher>] +[B<-macalg digest>] [B<-keyex>] [B<-keysig>] [B<-password arg>] [B<-passin arg>] [B<-passout arg>] [B<-rand file(s)>] +[B<-CAfile file>] +[B<-CApath dir>] +[B<-no-CAfile>] +[B<-no-CApath>] +[B<-CSP name>] =head1 DESCRIPTION @@ -49,7 +52,7 @@ programs including Netscape, MSIE and MS Outlook. =head1 COMMAND OPTIONS There are a lot of options the meaning of some depends of whether a PKCS#12 file -is being created or parsed. By default a PKCS#12 file is parsed a PKCS#12 +is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12 file can be created by using the B<-export> option (see below). =head1 PARSING OPTIONS @@ -63,25 +66,30 @@ by default. =item B<-out filename> -The filename to write certificates and private keys to, standard output by default. -They are all written in PEM format. +The filename to write certificates and private keys to, standard output by +default. They are all written in PEM format. -=item B<-pass arg>, B<-passin arg> +=item B<-passin arg> -the PKCS#12 file (i.e. input file) password source. For more information about the -format of B see the B section in -L. +the PKCS#12 file (i.e. input file) password source. For more information about +the format of B see the B section in +L. =item B<-passout arg> -pass phrase source to encrypt any outputed private keys with. For more information -about the format of B see the B section in -L. +pass phrase source to encrypt any outputted private keys with. For more +information about the format of B see the B section +in L. + +=item B<-password arg> + +With -export, -password is equivalent to -passout. +Otherwise, -password is equivalent to -passin. =item B<-noout> -this option inhibits output of the keys and certificates to the output file version -of the PKCS#12 file. +this option inhibits output of the keys and certificates to the output file +version of the PKCS#12 file. =item B<-clcerts> @@ -116,6 +124,14 @@ use triple DES to encrypt private keys before outputting, this is the default. use IDEA to encrypt private keys before outputting. +=item B<-aes128>, B<-aes192>, B<-aes256> + +use AES to encrypt private keys before outputting. + +=item B<-camellia128>, B<-camellia192>, B<-camellia256> + +use Camellia to encrypt private keys before outputting. + =item B<-nodes> don't encrypt the private keys at all. @@ -148,10 +164,10 @@ by default. =item B<-in filename> -The filename to read certificates and private keys from, standard input by default. -They must all be in PEM format. The order doesn't matter but one private key and -its corresponding certificate should be present. If additional certificates are -present they will also be included in the PKCS#12 file. +The filename to read certificates and private keys from, standard input by +default. They must all be in PEM format. The order doesn't matter but one +private key and its corresponding certificate should be present. If additional +certificates are present they will also be included in the PKCS#12 file. =item B<-inkey filename> @@ -160,8 +176,8 @@ in the input file. =item B<-name friendlyname> -This specifies the "friendly name" for the certificate and private key. This name -is typically displayed in list boxes by software importing the file. +This specifies the "friendly name" for the certificate and private key. This +name is typically displayed in list boxes by software importing the file. =item B<-certfile filename> @@ -178,13 +194,13 @@ displays them. the PKCS#12 file (i.e. output file) password source. For more information about the format of B see the B section in -L. +L. =item B<-passin password> pass phrase source to decrypt any input private keys with. For more information about the format of B see the B section in -L. +L. =item B<-chain> @@ -201,9 +217,11 @@ key is encrypted using triple DES and the certificate using 40 bit RC2. =item B<-keypbe alg>, B<-certpbe alg> these options allow the algorithm used to encrypt the private key and -certificates to be selected. Although any PKCS#5 v1.5 or PKCS#12 algorithms -can be selected it is advisable only to use PKCS#12 algorithms. See the list -in the B section for more information. +certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name +can be used (see B section for more information). If a cipher name +(as output by the B command is specified then it +is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only +use PKCS#12 algorithms. =item B<-keyex|-keysig> @@ -216,6 +234,10 @@ S/MIME signing, authenticode (ActiveX control signing) and SSL client authentication, however due to a bug only MSIE 5.0 and later support the use of signing only keys for SSL client authentication. +=item B<-macalg digest> + +specify the MAC digest algorithm. If not included them SHA1 will be used. + =item B<-nomaciter>, B<-noiter> these options affect the iteration counts on the MAC and key algorithms. @@ -239,14 +261,40 @@ option. This option is included for compatibility with previous versions, it used to be needed to use MAC iterations counts but they are now used by default. +=item B<-nomac> + +don't attempt to provide the MAC integrity. + =item B<-rand file(s)> a file or files containing random data used to seed the random number -generator, or an EGD socket (see L). +generator, or an EGD socket (see L). Multiple files can be specified separated by a OS-dependent character. -The separator is B<;> for MS-Windows, B<,> for OpenVSM, and B<:> for +The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for all others. +=item B<-CAfile file> + +CA storage as a file. + +=item B<-CApath dir> + +CA storage as a directory. This directory must be a standard certificate +directory: that is a hash of each subject name (using B) should be +linked to each certificate. + +=item B<-no-CAfile> + +Do not load the trusted CA certificates from the default file location + +=item B<-no-CApath> + +Do not load the trusted CA certificates from the default directory location + +=item B<-CSP name> + +write B as a Microsoft CSP name. + =back =head1 NOTES @@ -262,7 +310,7 @@ the one corresponding to the private key. Certain software which requires a private key and certificate and assumes the first certificate in the file is the one corresponding to the private key: this may not always be the case. Using the B<-clcerts> option will solve this problem by only -outputing the certificate corresponding to the private key. If the CA +outputting the certificate corresponding to the private key. If the CA certificates are required then they can be output to a separate file using the B<-nokeys -cacerts> options to just output CA certificates. @@ -300,11 +348,7 @@ Include some extra certificates: openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \ -certfile othercerts.pem -=head1 BUGS - -Some would argue that the PKCS#12 standard is one big bug :-) - =head1 SEE ALSO -L +L