projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Standardize apps use of -rand, etc.
[openssl.git]
/
doc
/
man1
/
pkcs12.pod
diff --git
a/doc/man1/pkcs12.pod
b/doc/man1/pkcs12.pod
index e851018cfd1bc999cf6fab24b4fc9d8fa2539399..2eb6b078a45376add5812747ba2c0476c50f48db 100644
(file)
--- a/
doc/man1/pkcs12.pod
+++ b/
doc/man1/pkcs12.pod
@@
-10,7
+10,7
@@
B<openssl> B<pkcs12>
[B<-help>]
[B<-export>]
[B<-chain>]
[B<-help>]
[B<-export>]
[B<-chain>]
-[B<-inkey file
name
>]
+[B<-inkey file
_or_id
>]
[B<-certfile filename>]
[B<-name name>]
[B<-caname name>]
[B<-certfile filename>]
[B<-name name>]
[B<-caname name>]
@@
-23,7
+23,7
@@
B<openssl> B<pkcs12>
[B<-cacerts>]
[B<-nokeys>]
[B<-info>]
[B<-cacerts>]
[B<-nokeys>]
[B<-info>]
-[B<-des | -des3 | -idea | -aes128 | -aes192 | -aes256 | -camellia128 | -camellia192 | -camellia256 | -nodes>]
+[B<-des | -des3 | -idea | -aes128 | -aes192 | -aes256 | -
aria128 | -aria192 | -aria256 | -
camellia128 | -camellia192 | -camellia256 | -nodes>]
[B<-noiter>]
[B<-maciter | -nomaciter | -nomac>]
[B<-twopass>]
[B<-noiter>]
[B<-maciter | -nomaciter | -nomac>]
[B<-twopass>]
@@
-36,7
+36,8
@@
B<openssl> B<pkcs12>
[B<-password arg>]
[B<-passin arg>]
[B<-passout arg>]
[B<-password arg>]
[B<-passin arg>]
[B<-passout arg>]
-[B<-rand file(s)>]
+[B<-rand file...>]
+[B<-writerand file>]
[B<-CAfile file>]
[B<-CApath dir>]
[B<-no-CAfile>]
[B<-CAfile file>]
[B<-CApath dir>]
[B<-no-CAfile>]
@@
-49,7
+50,7
@@
The B<pkcs12> command allows PKCS#12 files (sometimes referred to as
PFX files) to be created and parsed. PKCS#12 files are used by several
programs including Netscape, MSIE and MS Outlook.
PFX files) to be created and parsed. PKCS#12 files are used by several
programs including Netscape, MSIE and MS Outlook.
-=head1
COMMAND
OPTIONS
+=head1 OPTIONS
There are a lot of options the meaning of some depends of whether a PKCS#12 file
is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12
There are a lot of options the meaning of some depends of whether a PKCS#12 file
is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12
@@
-75,13
+76,13
@@
default. They are all written in PEM format.
=item B<-passin arg>
=item B<-passin arg>
-
t
he PKCS#12 file (i.e. input file) password source. For more information about
+
T
he PKCS#12 file (i.e. input file) password source. For more information about
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-passout arg>
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-passout arg>
-
p
ass phrase source to encrypt any outputted private keys with. For more
+
P
ass phrase source to encrypt any outputted private keys with. For more
information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
in L<openssl(1)>.
information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
in L<openssl(1)>.
@@
-92,61
+93,65
@@
Otherwise, -password is equivalent to -passin.
=item B<-noout>
=item B<-noout>
-
t
his option inhibits output of the keys and certificates to the output file
+
T
his option inhibits output of the keys and certificates to the output file
version of the PKCS#12 file.
=item B<-clcerts>
version of the PKCS#12 file.
=item B<-clcerts>
-
o
nly output client certificates (not CA certificates).
+
O
nly output client certificates (not CA certificates).
=item B<-cacerts>
=item B<-cacerts>
-
o
nly output CA certificates (not client certificates).
+
O
nly output CA certificates (not client certificates).
=item B<-nocerts>
=item B<-nocerts>
-
n
o certificates at all will be output.
+
N
o certificates at all will be output.
=item B<-nokeys>
=item B<-nokeys>
-
n
o private keys will be output.
+
N
o private keys will be output.
=item B<-info>
=item B<-info>
-output additional information about the PKCS#12 file structure, algorithms used and
-iteration counts.
+Output additional information about the PKCS#12 file structure, algorithms
+
used and
iteration counts.
=item B<-des>
=item B<-des>
-
u
se DES to encrypt private keys before outputting.
+
U
se DES to encrypt private keys before outputting.
=item B<-des3>
=item B<-des3>
-
u
se triple DES to encrypt private keys before outputting, this is the default.
+
U
se triple DES to encrypt private keys before outputting, this is the default.
=item B<-idea>
=item B<-idea>
-
u
se IDEA to encrypt private keys before outputting.
+
U
se IDEA to encrypt private keys before outputting.
=item B<-aes128>, B<-aes192>, B<-aes256>
=item B<-aes128>, B<-aes192>, B<-aes256>
-use AES to encrypt private keys before outputting.
+Use AES to encrypt private keys before outputting.
+
+=item B<-aria128>, B<-aria192>, B<-aria256>
+
+Use ARIA to encrypt private keys before outputting.
=item B<-camellia128>, B<-camellia192>, B<-camellia256>
=item B<-camellia128>, B<-camellia192>, B<-camellia256>
-
u
se Camellia to encrypt private keys before outputting.
+
U
se Camellia to encrypt private keys before outputting.
=item B<-nodes>
=item B<-nodes>
-
d
on't encrypt the private keys at all.
+
D
on't encrypt the private keys at all.
=item B<-nomacver>
=item B<-nomacver>
-
d
on't attempt to verify the integrity MAC before reading the file.
+
D
on't attempt to verify the integrity MAC before reading the file.
=item B<-twopass>
=item B<-twopass>
-
p
rompt for separate integrity and encryption passwords: most software
+
P
rompt for separate integrity and encryption passwords: most software
always assumes these are the same so this option will render such
PKCS#12 files unreadable.
always assumes these are the same so this option will render such
PKCS#12 files unreadable.
@@
-173,10
+178,12
@@
default. They must all be in PEM format. The order doesn't matter but one
private key and its corresponding certificate should be present. If additional
certificates are present they will also be included in the PKCS#12 file.
private key and its corresponding certificate should be present. If additional
certificates are present they will also be included in the PKCS#12 file.
-=item B<-inkey file
name
>
+=item B<-inkey file
_or_id
>
-
f
ile to read private key from. If not present then a private key must be present
+
F
ile to read private key from. If not present then a private key must be present
in the input file.
in the input file.
+If no engine is used, the argument is taken as a file; if an engine is
+specified, the argument is given to the engine as a key identifier.
=item B<-name friendlyname>
=item B<-name friendlyname>
@@
-196,31
+203,31
@@
displays them.
=item B<-pass arg>, B<-passout arg>
=item B<-pass arg>, B<-passout arg>
-
t
he PKCS#12 file (i.e. output file) password source. For more information about
+
T
he PKCS#12 file (i.e. output file) password source. For more information about
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-passin password>
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-passin password>
-
p
ass phrase source to decrypt any input private keys with. For more information
+
P
ass phrase source to decrypt any input private keys with. For more information
about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-chain>
about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-chain>
-
i
f this option is present then an attempt is made to include the entire
+
I
f this option is present then an attempt is made to include the entire
certificate chain of the user certificate. The standard CA store is used
for this search. If the search fails it is considered a fatal error.
=item B<-descert>
certificate chain of the user certificate. The standard CA store is used
for this search. If the search fails it is considered a fatal error.
=item B<-descert>
-
e
ncrypt the certificate using triple DES, this may render the PKCS#12
+
E
ncrypt the certificate using triple DES, this may render the PKCS#12
file unreadable by some "export grade" software. By default the private
key is encrypted using triple DES and the certificate using 40 bit RC2.
=item B<-keypbe alg>, B<-certpbe alg>
file unreadable by some "export grade" software. By default the private
key is encrypted using triple DES and the certificate using 40 bit RC2.
=item B<-keypbe alg>, B<-certpbe alg>
-
t
hese options allow the algorithm used to encrypt the private key and
+
T
hese options allow the algorithm used to encrypt the private key and
certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name
can be used (see B<NOTES> section for more information). If a cipher name
(as output by the B<list-cipher-algorithms> command is specified then it
certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name
can be used (see B<NOTES> section for more information). If a cipher name
(as output by the B<list-cipher-algorithms> command is specified then it
@@
-229,7
+236,7
@@
use PKCS#12 algorithms.
=item B<-keyex|-keysig>
=item B<-keyex|-keysig>
-
s
pecifies that the private key is to be used for key exchange or just signing.
+
S
pecifies that the private key is to be used for key exchange or just signing.
This option is only interpreted by MSIE and similar MS software. Normally
"export grade" software will only allow 512 bit RSA keys to be used for
encryption purposes but arbitrary length keys for signing. The B<-keysig>
This option is only interpreted by MSIE and similar MS software. Normally
"export grade" software will only allow 512 bit RSA keys to be used for
encryption purposes but arbitrary length keys for signing. The B<-keysig>
@@
-240,11
+247,11
@@
the use of signing only keys for SSL client authentication.
=item B<-macalg digest>
=item B<-macalg digest>
-
s
pecify the MAC digest algorithm. If not included them SHA1 will be used.
+
S
pecify the MAC digest algorithm. If not included them SHA1 will be used.
=item B<-nomaciter>, B<-noiter>
=item B<-nomaciter>, B<-noiter>
-
t
hese options affect the iteration counts on the MAC and key algorithms.
+
T
hese options affect the iteration counts on the MAC and key algorithms.
Unless you wish to produce files compatible with MSIE 4.0 you should leave
these options alone.
Unless you wish to produce files compatible with MSIE 4.0 you should leave
these options alone.
@@
-267,16
+274,21
@@
to be needed to use MAC iterations counts but they are now used by default.
=item B<-nomac>
=item B<-nomac>
-
d
on't attempt to provide the MAC integrity.
+
D
on't attempt to provide the MAC integrity.
-=item B<-rand file
(s)
>
+=item B<-rand file
...
>
-
a
file or files containing random data used to seed the random number
-generator
, or an EGD socket (see L<RAND_egd(3)>)
.
+
A
file or files containing random data used to seed the random number
+generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
+=item [B<-writerand file>]
+
+Writes random data to the specified I<file> upon exit.
+This can be used with a subsequent B<-rand> flag.
+
=item B<-CAfile file>
CA storage as a file.
=item B<-CAfile file>
CA storage as a file.
@@
-289,15
+301,15
@@
linked to each certificate.
=item B<-no-CAfile>
=item B<-no-CAfile>
-Do not load the trusted CA certificates from the default file location
+Do not load the trusted CA certificates from the default file location
.
=item B<-no-CApath>
=item B<-no-CApath>
-Do not load the trusted CA certificates from the default directory location
+Do not load the trusted CA certificates from the default directory location
.
=item B<-CSP name>
=item B<-CSP name>
-
w
rite B<name> as a Microsoft CSP name.
+
W
rite B<name> as a Microsoft CSP name.
=back
=back
@@
-368,7
+380,7
@@
L<pkcs8(1)>
=head1 COPYRIGHT
=head1 COPYRIGHT
-Copyright 2000-201
6
The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-201
7
The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy