pkcs12.1s
Convert PKCS#12 files to other formats
SYNOPSIS
openssl pkcs12 [-export] [-chain] [-inkey file] [-in file] [-certfile file] [-CAfile file] [-CApath path] [-out file] [-des] [-des3] [-idea] [-noddes] [-nomac] [-nocerts] [-noattr] [-clcerts] [-passin arg] [-passout arg] [-name name] [-caname name] [-keyex] [-keypbe alg] [-certpbe alg] [-macalg alg] [-legacy] [-rand file(s)] [-writerand file(s)] [-engine id]
PARAMETERS
-export
Output a PKCS#12 file. Without this option, it reads a PKCS#12 file.
-chain
Output a certificate chain instead of a single certificate.
-inkey file
Private key to use.
-in file
Input file.
-certfile file
File containing additional certificates.
-CAfile file
File containing trusted CA certificates.
-CApath path
Directory containing trusted CA certificates.
-out file
Output file.
-des, -des3, -idea
Encryption algorithm for the private key (legacy, use keypbe instead).
-noddes
Disable use of DES or triple DES encryption (legacy, use keypbe instead).
-nomac
Do not generate MAC.
-nocerts
Do not output certificates.
-noattr
Do not output attributes.
-clcerts
Only output client certificates.
-passin arg
Input password source.
-passout arg
Output password source.
-name name
Friendly name to assign to the certificate.
-caname name
Friendly name to assign to the CA certificate.
-keyex
Generate key exchange key.
-keypbe alg
PBE algorithm to use for private key encryption (e.g., AES256).
-certpbe alg
PBE algorithm to use for certificate encryption (e.g., AES256).
-macalg alg
MAC algorithm to use for integrity check (e.g., SHA256).
-legacy
Use legacy (pre-RFC8018) KDF algorithms.
-rand file(s)
Specify one or more source files for the random number generator.
-writerand file(s)
Write random data to the specified file(s).
-engine id
Specify an engine (hardware accelerator).
DESCRIPTION
The pkcs12.1s command is an OpenSSL command-line tool primarily used for creating, examining, and manipulating PKCS#12 files. These files, also known as PFX files, are a standard format for storing cryptographic keys, certificates, and optionally, certificate chains in a single, password-protected file. This is useful for importing/exporting a client certificate for use on the Web and also useful for backups.
The tool allows users to convert between various certificate and key formats, setting passwords for protection, and verifying the contents of existing PKCS#12 files. It is commonly used in scenarios requiring secure storage and transportation of cryptographic credentials, such as for client authentication, secure email, and code signing. It's an essential tool for managing digital identities and ensuring secure communication in various applications.
CAVEATS
The pkcs12 command requires careful handling of passwords to ensure the security of the stored keys and certificates.
Using weak or default passwords can compromise the security of the PKCS#12 file.
Old and deprecated algorithms like DES should be avoided in favor of more modern and secure options such as AES256.
PASSWORD HANDLING
The -passin and -passout options allow you to specify the password source. This can be a file, environment variable, or the terminal.
Be cautious about storing passwords in scripts or environment variables, as this can expose them to unauthorized access.
KEY USAGE
The -keyex option is useful when generating a PKCS#12 file for key exchange purposes, such as Diffie-Hellman key agreement. For digital signatures, this option should not be used.
SECURITY BEST PRACTICES
Always use strong passwords and appropriate encryption algorithms. Regular audits of your PKCS#12 files and their usage are recommended to ensure the continued security of your cryptographic credentials.
SEE ALSO
openssl(1), x509(1), rsa(1), req(1)