-
=pod
=head1 NAME
=head1 SYNOPSIS
B<openssl> B<pkcs12>
+[B<-help>]
[B<-export>]
[B<-chain>]
[B<-inkey filename>]
[B<-cacerts>]
[B<-nokeys>]
[B<-info>]
-[B<-des>]
-[B<-des3>]
-[B<-idea>]
-[B<-nodes>]
+[B<-des | -des3 | -idea | -aes128 | -aes192 | -aes256 | -camellia128 | -camellia192 | -camellia256 | -nodes>]
[B<-noiter>]
-[B<-maciter>]
+[B<-maciter | -nomaciter | -nomac>]
[B<-twopass>]
[B<-descert>]
-[B<-certpbe>]
-[B<-keypbe>]
+[B<-certpbe cipher>]
+[B<-keypbe cipher>]
+[B<-macalg digest>]
[B<-keyex>]
[B<-keysig>]
-[B<-password password>]
-[B<-envpass var>]
-[B<-passin password>]
-[B<-envpassin var>]
-[B<-passout password>]
-[B<-envpassout var>]
+[B<-password arg>]
+[B<-passin arg>]
+[B<-passout arg>]
+[B<-rand file(s)>]
+[B<-CAfile file>]
+[B<-CApath dir>]
+[B<-no-CAfile>]
+[B<-no-CApath>]
+[B<-CSP name>]
=head1 DESCRIPTION
=head1 COMMAND OPTIONS
There are a lot of options the meaning of some depends of whether a PKCS#12 file
-is being created or parsed. By default a PKCS#12 file is parsed a PKCS#12
+is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12
file can be created by using the B<-export> option (see below).
=head1 PARSING OPTIONS
=over 4
+=item B<-help>
+
+Print out a usage message.
+
=item B<-in filename>
This specifies filename of the PKCS#12 file to be parsed. Standard input is used
=item B<-out filename>
-The filename to write certificates and private keys to, standard output by default.
-They are all written in PEM format.
-
-=item B<-pass password>, B<-passin password>
-
-the PKCS#12 file (i.e. input file) password. Since certain utilities like "ps" make
-the command line visible this option should be used with caution.
+The filename to write certificates and private keys to, standard output by
+default. They are all written in PEM format.
-=item B<-envpass var>, B<-envpassin password>
+=item B<-passin arg>
-read the PKCS#12 file password from the environment variable B<var>.
+the PKCS#12 file (i.e. input file) password source. For more information about
+the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+L<openssl(1)>.
-=item B<-passout password>
+=item B<-passout arg>
-pass phrase to encrypt any outputed private keys with. Since certain utilities like
-"ps" make the command line visible this option should be used with caution.
+pass phrase source to encrypt any outputted private keys with. For more
+information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
+in L<openssl(1)>.
-=item B<-envpass var>, B<-envpassin password>
+=item B<-password arg>
-read the outputed private keys file password from the environment variable B<var>.
+With -export, -password is equivalent to -passout.
+Otherwise, -password is equivalent to -passin.
=item B<-noout>
-this option inhibits output of the keys and certificates to the output file version
-of the PKCS#12 file.
+this option inhibits output of the keys and certificates to the output file
+version of the PKCS#12 file.
=item B<-clcerts>
use IDEA to encrypt private keys before outputting.
+=item B<-aes128>, B<-aes192>, B<-aes256>
+
+use AES to encrypt private keys before outputting.
+
+=item B<-camellia128>, B<-camellia192>, B<-camellia256>
+
+use Camellia to encrypt private keys before outputting.
+
=item B<-nodes>
don't encrypt the private keys at all.
=item B<-in filename>
-The filename to read certificates and private keys from, standard input by default.
-They must all be in PEM format. The order doesn't matter but one private key and
-its corresponding certificate should be present. If additional certificates are
-present they will also be included in the PKCS#12 file.
+The filename to read certificates and private keys from, standard input by
+default. They must all be in PEM format. The order doesn't matter but one
+private key and its corresponding certificate should be present. If additional
+certificates are present they will also be included in the PKCS#12 file.
=item B<-inkey filename>
=item B<-name friendlyname>
-This specifies the "friendly name" for the certificate and private key. This name
-is typically displayed in list boxes by software importing the file.
+This specifies the "friendly name" for the certificate and private key. This
+name is typically displayed in list boxes by software importing the file.
=item B<-certfile filename>
appear. Netscape ignores friendly names on other certificates whereas MSIE
displays them.
-=item B<-pass password>, B<-passout password>
+=item B<-pass arg>, B<-passout arg>
-the PKCS#12 file (i.e. output file) password. Since certain utilities like "ps"
-make the command line visible this option should be used with caution.
-
-=item B<-envpass var>, B<-envpassout var>
-
-read the PKCS#12 file password from the environment variable B<var>.
+the PKCS#12 file (i.e. output file) password source. For more information about
+the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+L<openssl(1)>.
=item B<-passin password>
-pass phrase to decrypt the input private key with. Since certain utilities like
-"ps" make the command line visible this option should be used with caution.
-
-=item B<-envpassin password>
-
-read the input private key file password from the environment variable B<var>.
+pass phrase source to decrypt any input private keys with. For more information
+about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+L<openssl(1)>.
=item B<-chain>
=item B<-keypbe alg>, B<-certpbe alg>
these options allow the algorithm used to encrypt the private key and
-certificates to be selected. Although any PKCS#5 v1.5 or PKCS#12 algorithms
-can be selected it is advisable only to use PKCS#12 algorithms. See the list
-in the B<NOTES> section for more information.
+certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name
+can be used (see B<NOTES> section for more information). If a cipher name
+(as output by the B<list-cipher-algorithms> command is specified then it
+is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
+use PKCS#12 algorithms.
=item B<-keyex|-keysig>
authentication, however due to a bug only MSIE 5.0 and later support
the use of signing only keys for SSL client authentication.
+=item B<-macalg digest>
+
+specify the MAC digest algorithm. If not included them SHA1 will be used.
+
=item B<-nomaciter>, B<-noiter>
these options affect the iteration counts on the MAC and key algorithms.
This option is included for compatibility with previous versions, it used
to be needed to use MAC iterations counts but they are now used by default.
+=item B<-nomac>
+
+don't attempt to provide the MAC integrity.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)>).
+Multiple files can be specified separated by an OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
+=item B<-CAfile file>
+
+CA storage as a file.
+
+=item B<-CApath dir>
+
+CA storage as a directory. This directory must be a standard certificate
+directory: that is a hash of each subject name (using B<x509 -hash>) should be
+linked to each certificate.
+
+=item B<-no-CAfile>
+
+Do not load the trusted CA certificates from the default file location
+
+=item B<-no-CApath>
+
+Do not load the trusted CA certificates from the default directory location
+
+=item B<-CSP name>
+
+write B<name> as a Microsoft CSP name.
+
=back
=head1 NOTES
a private key and certificate and assumes the first certificate in the
file is the one corresponding to the private key: this may not always
be the case. Using the B<-clcerts> option will solve this problem by only
-outputing the certificate corresponding to the private key. If the CA
+outputting the certificate corresponding to the private key. If the CA
certificates are required then they can be output to a separate file using
the B<-nokeys -cacerts> options to just output CA certificates.
openssl pkcs12 -in file.p12 -clcerts -out file.pem
Don't encrypt the private key:
-
+
openssl pkcs12 -in file.p12 -out file.pem -nodes
Print some info about a PKCS#12 file:
openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \
-certfile othercerts.pem
-=head1 BUGS
+=head1 SEE ALSO
+
+L<pkcs8(1)>
-Some would argue that the PKCS#12 standard is one big bug :-)
+=head1 COPYRIGHT
-=head1 SEE ALSO
+Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
-L<pkcs8(1)|pkcs8(1)>
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+=cut
projects / openssl.git / blobdiff