Update build for OpenSSL-0.9.8j upgrade.
[dragonfly.git] / secure / usr.bin / openssl / man / pkcs12.1
CommitLineData
e257b235 1.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sh \" Subsection heading
984263bc
MD
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
8b0cefbb 13.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
14.if t .sp .5v
15.if n .sp
16..
8b0cefbb 17.de Vb \" Begin verbatim text
984263bc
MD
18.ft CW
19.nf
20.ne \\$1
21..
8b0cefbb 22.de Ve \" End verbatim text
984263bc 23.ft R
984263bc
MD
24.fi
25..
8b0cefbb
JR
26.\" Set up some character translations and predefined strings. \*(-- will
27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
28.\" double quote, and \*(R" will give a right double quote. \*(C+ will
29.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
30.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
31.\" nothing in troff, for use with C<>.
32.tr \(*W-
8b0cefbb 33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 34.ie n \{\
8b0cefbb
JR
35. ds -- \(*W-
36. ds PI pi
37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
39. ds L" ""
40. ds R" ""
41. ds C` ""
42. ds C' ""
984263bc
MD
43'br\}
44.el\{\
8b0cefbb
JR
45. ds -- \|\(em\|
46. ds PI \(*p
47. ds L" ``
48. ds R" ''
984263bc 49'br\}
8b0cefbb 50.\"
e257b235
PA
51.\" Escape single quotes in literal strings from groff's Unicode transform.
52.ie \n(.g .ds Aq \(aq
53.el .ds Aq '
54.\"
8b0cefbb
JR
55.\" If the F register is turned on, we'll generate index entries on stderr for
56.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
57.\" entries marked with X<> in POD. Of course, you'll have to process the
58.\" output yourself in some meaningful fashion.
e257b235 59.ie \nF \{\
8b0cefbb
JR
60. de IX
61. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 62..
8b0cefbb
JR
63. nr % 0
64. rr F
984263bc 65.\}
e257b235
PA
66.el \{\
67. de IX
68..
69.\}
aac4ff6f 70.\"
8b0cefbb
JR
71.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
72.\" Fear. Run. Save yourself. No user-serviceable parts.
73. \" fudge factors for nroff and troff
984263bc 74.if n \{\
8b0cefbb
JR
75. ds #H 0
76. ds #V .8m
77. ds #F .3m
78. ds #[ \f1
79. ds #] \fP
984263bc
MD
80.\}
81.if t \{\
8b0cefbb
JR
82. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
83. ds #V .6m
84. ds #F 0
85. ds #[ \&
86. ds #] \&
984263bc 87.\}
8b0cefbb 88. \" simple accents for nroff and troff
984263bc 89.if n \{\
8b0cefbb
JR
90. ds ' \&
91. ds ` \&
92. ds ^ \&
93. ds , \&
94. ds ~ ~
95. ds /
984263bc
MD
96.\}
97.if t \{\
8b0cefbb
JR
98. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
99. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
100. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
101. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
102. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
103. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 104.\}
8b0cefbb 105. \" troff and (daisy-wheel) nroff accents
984263bc
MD
106.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
107.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
108.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
109.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
110.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
111.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
112.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
113.ds ae a\h'-(\w'a'u*4/10)'e
114.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 115. \" corrections for vroff
984263bc
MD
116.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
117.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 118. \" for low resolution devices (crt and lpr)
984263bc
MD
119.if \n(.H>23 .if \n(.V>19 \
120\{\
8b0cefbb
JR
121. ds : e
122. ds 8 ss
123. ds o a
124. ds d- d\h'-1'\(ga
125. ds D- D\h'-1'\(hy
126. ds th \o'bp'
127. ds Th \o'LP'
128. ds ae ae
129. ds Ae AE
984263bc
MD
130.\}
131.rm #[ #] #H #V #F C
8b0cefbb
JR
132.\" ========================================================================
133.\"
134.IX Title "PKCS12 1"
e257b235
PA
135.TH PKCS12 1 "2009-01-11" "0.9.8j" "OpenSSL"
136.\" For nroff, turn off justification. Always turn off hyphenation; it makes
137.\" way too many mistakes in technical documents.
138.if n .ad l
139.nh
984263bc
MD
140.SH "NAME"
141pkcs12 \- PKCS#12 file utility
142.SH "SYNOPSIS"
8b0cefbb
JR
143.IX Header "SYNOPSIS"
144\&\fBopenssl\fR \fBpkcs12\fR
984263bc
MD
145[\fB\-export\fR]
146[\fB\-chain\fR]
147[\fB\-inkey filename\fR]
148[\fB\-certfile filename\fR]
149[\fB\-name name\fR]
150[\fB\-caname name\fR]
151[\fB\-in filename\fR]
152[\fB\-out filename\fR]
153[\fB\-noout\fR]
154[\fB\-nomacver\fR]
155[\fB\-nocerts\fR]
156[\fB\-clcerts\fR]
157[\fB\-cacerts\fR]
158[\fB\-nokeys\fR]
159[\fB\-info\fR]
160[\fB\-des\fR]
161[\fB\-des3\fR]
162[\fB\-idea\fR]
163[\fB\-nodes\fR]
164[\fB\-noiter\fR]
165[\fB\-maciter\fR]
166[\fB\-twopass\fR]
167[\fB\-descert\fR]
168[\fB\-certpbe\fR]
169[\fB\-keypbe\fR]
170[\fB\-keyex\fR]
171[\fB\-keysig\fR]
172[\fB\-password arg\fR]
173[\fB\-passin arg\fR]
174[\fB\-passout arg\fR]
e3cdf75b 175[\fB\-rand file(s)\fR]
984263bc 176.SH "DESCRIPTION"
8b0cefbb 177.IX Header "DESCRIPTION"
984263bc 178The \fBpkcs12\fR command allows PKCS#12 files (sometimes referred to as
8b0cefbb
JR
179\&\s-1PFX\s0 files) to be created and parsed. PKCS#12 files are used by several
180programs including Netscape, \s-1MSIE\s0 and \s-1MS\s0 Outlook.
984263bc 181.SH "COMMAND OPTIONS"
8b0cefbb 182.IX Header "COMMAND OPTIONS"
984263bc
MD
183There are a lot of options the meaning of some depends of whether a PKCS#12 file
184is being created or parsed. By default a PKCS#12 file is parsed a PKCS#12
185file can be created by using the \fB\-export\fR option (see below).
186.SH "PARSING OPTIONS"
8b0cefbb
JR
187.IX Header "PARSING OPTIONS"
188.IP "\fB\-in filename\fR" 4
189.IX Item "-in filename"
190This specifies filename of the PKCS#12 file to be parsed. Standard input is used
984263bc 191by default.
8b0cefbb
JR
192.IP "\fB\-out filename\fR" 4
193.IX Item "-out filename"
984263bc
MD
194The filename to write certificates and private keys to, standard output by default.
195They are all written in \s-1PEM\s0 format.
8b0cefbb
JR
196.IP "\fB\-pass arg\fR, \fB\-passin arg\fR" 4
197.IX Item "-pass arg, -passin arg"
198the PKCS#12 file (i.e. input file) password source. For more information about the
984263bc 199format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
8b0cefbb
JR
200\&\fIopenssl\fR\|(1).
201.IP "\fB\-passout arg\fR" 4
202.IX Item "-passout arg"
984263bc
MD
203pass phrase source to encrypt any outputed private keys with. For more information
204about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
8b0cefbb
JR
205\&\fIopenssl\fR\|(1).
206.IP "\fB\-noout\fR" 4
207.IX Item "-noout"
984263bc 208this option inhibits output of the keys and certificates to the output file version
8b0cefbb
JR
209of the PKCS#12 file.
210.IP "\fB\-clcerts\fR" 4
211.IX Item "-clcerts"
984263bc 212only output client certificates (not \s-1CA\s0 certificates).
8b0cefbb
JR
213.IP "\fB\-cacerts\fR" 4
214.IX Item "-cacerts"
984263bc 215only output \s-1CA\s0 certificates (not client certificates).
8b0cefbb
JR
216.IP "\fB\-nocerts\fR" 4
217.IX Item "-nocerts"
984263bc 218no certificates at all will be output.
8b0cefbb
JR
219.IP "\fB\-nokeys\fR" 4
220.IX Item "-nokeys"
984263bc 221no private keys will be output.
8b0cefbb
JR
222.IP "\fB\-info\fR" 4
223.IX Item "-info"
224output additional information about the PKCS#12 file structure, algorithms used and
984263bc 225iteration counts.
8b0cefbb
JR
226.IP "\fB\-des\fR" 4
227.IX Item "-des"
984263bc 228use \s-1DES\s0 to encrypt private keys before outputting.
8b0cefbb
JR
229.IP "\fB\-des3\fR" 4
230.IX Item "-des3"
984263bc 231use triple \s-1DES\s0 to encrypt private keys before outputting, this is the default.
8b0cefbb
JR
232.IP "\fB\-idea\fR" 4
233.IX Item "-idea"
984263bc 234use \s-1IDEA\s0 to encrypt private keys before outputting.
8b0cefbb
JR
235.IP "\fB\-nodes\fR" 4
236.IX Item "-nodes"
984263bc 237don't encrypt the private keys at all.
8b0cefbb
JR
238.IP "\fB\-nomacver\fR" 4
239.IX Item "-nomacver"
984263bc 240don't attempt to verify the integrity \s-1MAC\s0 before reading the file.
8b0cefbb
JR
241.IP "\fB\-twopass\fR" 4
242.IX Item "-twopass"
984263bc
MD
243prompt for separate integrity and encryption passwords: most software
244always assumes these are the same so this option will render such
8b0cefbb 245PKCS#12 files unreadable.
984263bc 246.SH "FILE CREATION OPTIONS"
8b0cefbb
JR
247.IX Header "FILE CREATION OPTIONS"
248.IP "\fB\-export\fR" 4
249.IX Item "-export"
250This option specifies that a PKCS#12 file will be created rather than
984263bc 251parsed.
8b0cefbb
JR
252.IP "\fB\-out filename\fR" 4
253.IX Item "-out filename"
254This specifies filename to write the PKCS#12 file to. Standard output is used
984263bc 255by default.
8b0cefbb
JR
256.IP "\fB\-in filename\fR" 4
257.IX Item "-in filename"
984263bc
MD
258The filename to read certificates and private keys from, standard input by default.
259They must all be in \s-1PEM\s0 format. The order doesn't matter but one private key and
260its corresponding certificate should be present. If additional certificates are
8b0cefbb
JR
261present they will also be included in the PKCS#12 file.
262.IP "\fB\-inkey filename\fR" 4
263.IX Item "-inkey filename"
984263bc
MD
264file to read private key from. If not present then a private key must be present
265in the input file.
8b0cefbb
JR
266.IP "\fB\-name friendlyname\fR" 4
267.IX Item "-name friendlyname"
984263bc
MD
268This specifies the \*(L"friendly name\*(R" for the certificate and private key. This name
269is typically displayed in list boxes by software importing the file.
8b0cefbb
JR
270.IP "\fB\-certfile filename\fR" 4
271.IX Item "-certfile filename"
984263bc 272A filename to read additional certificates from.
8b0cefbb
JR
273.IP "\fB\-caname friendlyname\fR" 4
274.IX Item "-caname friendlyname"
984263bc
MD
275This specifies the \*(L"friendly name\*(R" for other certificates. This option may be
276used multiple times to specify names for all certificates in the order they
277appear. Netscape ignores friendly names on other certificates whereas \s-1MSIE\s0
278displays them.
8b0cefbb
JR
279.IP "\fB\-pass arg\fR, \fB\-passout arg\fR" 4
280.IX Item "-pass arg, -passout arg"
281the PKCS#12 file (i.e. output file) password source. For more information about
984263bc 282the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
8b0cefbb
JR
283\&\fIopenssl\fR\|(1).
284.IP "\fB\-passin password\fR" 4
285.IX Item "-passin password"
984263bc
MD
286pass phrase source to decrypt any input private keys with. For more information
287about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
8b0cefbb
JR
288\&\fIopenssl\fR\|(1).
289.IP "\fB\-chain\fR" 4
290.IX Item "-chain"
984263bc
MD
291if this option is present then an attempt is made to include the entire
292certificate chain of the user certificate. The standard \s-1CA\s0 store is used
293for this search. If the search fails it is considered a fatal error.
8b0cefbb
JR
294.IP "\fB\-descert\fR" 4
295.IX Item "-descert"
296encrypt the certificate using triple \s-1DES\s0, this may render the PKCS#12
984263bc
MD
297file unreadable by some \*(L"export grade\*(R" software. By default the private
298key is encrypted using triple \s-1DES\s0 and the certificate using 40 bit \s-1RC2\s0.
8b0cefbb
JR
299.IP "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4
300.IX Item "-keypbe alg, -certpbe alg"
984263bc 301these options allow the algorithm used to encrypt the private key and
8b0cefbb
JR
302certificates to be selected. Although any PKCS#5 v1.5 or PKCS#12 algorithms
303can be selected it is advisable only to use PKCS#12 algorithms. See the list
984263bc 304in the \fB\s-1NOTES\s0\fR section for more information.
8b0cefbb
JR
305.IP "\fB\-keyex|\-keysig\fR" 4
306.IX Item "-keyex|-keysig"
984263bc
MD
307specifies that the private key is to be used for key exchange or just signing.
308This option is only interpreted by \s-1MSIE\s0 and similar \s-1MS\s0 software. Normally
8b0cefbb 309\&\*(L"export grade\*(R" software will only allow 512 bit \s-1RSA\s0 keys to be used for
984263bc
MD
310encryption purposes but arbitrary length keys for signing. The \fB\-keysig\fR
311option marks the key for signing only. Signing only keys can be used for
8b0cefbb 312S/MIME signing, authenticode (ActiveX control signing) and \s-1SSL\s0 client
984263bc
MD
313authentication, however due to a bug only \s-1MSIE\s0 5.0 and later support
314the use of signing only keys for \s-1SSL\s0 client authentication.
8b0cefbb
JR
315.IP "\fB\-nomaciter\fR, \fB\-noiter\fR" 4
316.IX Item "-nomaciter, -noiter"
984263bc
MD
317these options affect the iteration counts on the \s-1MAC\s0 and key algorithms.
318Unless you wish to produce files compatible with \s-1MSIE\s0 4.0 you should leave
319these options alone.
320.Sp
321To discourage attacks by using large dictionaries of common passwords the
322algorithm that derives keys from passwords can have an iteration count applied
323to it: this causes a certain part of the algorithm to be repeated and slows it
324down. The \s-1MAC\s0 is used to check the file integrity but since it will normally
325have the same password as the keys and certificates it could also be attacked.
326By default both \s-1MAC\s0 and encryption iteration counts are set to 2048, using
327these options the \s-1MAC\s0 and encryption iteration counts can be set to 1, since
328this reduces the file security you should not use these options unless you
329really have to. Most software supports both \s-1MAC\s0 and key iteration counts.
8b0cefbb 330\&\s-1MSIE\s0 4.0 doesn't support \s-1MAC\s0 iteration counts so it needs the \fB\-nomaciter\fR
984263bc 331option.
8b0cefbb
JR
332.IP "\fB\-maciter\fR" 4
333.IX Item "-maciter"
984263bc
MD
334This option is included for compatibility with previous versions, it used
335to be needed to use \s-1MAC\s0 iterations counts but they are now used by default.
8b0cefbb
JR
336.IP "\fB\-rand file(s)\fR" 4
337.IX Item "-rand file(s)"
984263bc 338a file or files containing random data used to seed the random number
8b0cefbb
JR
339generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
340Multiple files can be specified separated by a OS-dependent character.
e257b235 341The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
984263bc
MD
342all others.
343.SH "NOTES"
8b0cefbb 344.IX Header "NOTES"
984263bc
MD
345Although there are a large number of options most of them are very rarely
346used. For PKCS#12 file parsing only \fB\-in\fR and \fB\-out\fR need to be used
347for PKCS#12 file creation \fB\-export\fR and \fB\-name\fR are also used.
348.PP
349If none of the \fB\-clcerts\fR, \fB\-cacerts\fR or \fB\-nocerts\fR options are present
350then all certificates will be output in the order they appear in the input
351PKCS#12 files. There is no guarantee that the first certificate present is
352the one corresponding to the private key. Certain software which requires
353a private key and certificate and assumes the first certificate in the
354file is the one corresponding to the private key: this may not always
355be the case. Using the \fB\-clcerts\fR option will solve this problem by only
8b0cefbb 356outputting the certificate corresponding to the private key. If the \s-1CA\s0
984263bc 357certificates are required then they can be output to a separate file using
8b0cefbb 358the \fB\-nokeys \-cacerts\fR options to just output \s-1CA\s0 certificates.
984263bc
MD
359.PP
360The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption
361algorithms for private keys and certificates to be specified. Normally
8b0cefbb
JR
362the defaults are fine but occasionally software can't handle triple \s-1DES\s0
363encrypted private keys, then the option \fB\-keypbe \s-1PBE\-SHA1\-RC2\-40\s0\fR can
364be used to reduce the private key encryption to 40 bit \s-1RC2\s0. A complete
984263bc
MD
365description of all algorithms is contained in the \fBpkcs8\fR manual page.
366.SH "EXAMPLES"
8b0cefbb 367.IX Header "EXAMPLES"
984263bc
MD
368Parse a PKCS#12 file and output it to a file:
369.PP
370.Vb 1
e257b235 371\& openssl pkcs12 \-in file.p12 \-out file.pem
984263bc 372.Ve
8b0cefbb 373.PP
984263bc
MD
374Output only client certificates to a file:
375.PP
376.Vb 1
e257b235 377\& openssl pkcs12 \-in file.p12 \-clcerts \-out file.pem
984263bc 378.Ve
8b0cefbb 379.PP
984263bc 380Don't encrypt the private key:
8b0cefbb
JR
381.PP
382.Vb 1
e257b235 383\& openssl pkcs12 \-in file.p12 \-out file.pem \-nodes
8b0cefbb 384.Ve
984263bc 385.PP
984263bc
MD
386Print some info about a PKCS#12 file:
387.PP
388.Vb 1
e257b235 389\& openssl pkcs12 \-in file.p12 \-info \-noout
984263bc 390.Ve
8b0cefbb 391.PP
984263bc
MD
392Create a PKCS#12 file:
393.PP
394.Vb 1
e257b235 395\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My Certificate"
984263bc 396.Ve
8b0cefbb 397.PP
984263bc
MD
398Include some extra certificates:
399.PP
400.Vb 2
e257b235
PA
401\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My Certificate" \e
402\& \-certfile othercerts.pem
984263bc
MD
403.Ve
404.SH "BUGS"
8b0cefbb 405.IX Header "BUGS"
984263bc
MD
406Some would argue that the PKCS#12 standard is one big bug :\-)
407.PP
408Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation
409routines. Under rare circumstances this could produce a PKCS#12 file encrypted
410with an invalid key. As a result some PKCS#12 files which triggered this bug
8b0cefbb 411from other implementations (\s-1MSIE\s0 or Netscape) could not be decrypted
984263bc
MD
412by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could
413not be decrypted by other implementations. The chances of producing such
414a file are relatively small: less than 1 in 256.
415.PP
416A side effect of fixing this bug is that any old invalidly encrypted PKCS#12
417files cannot no longer be parsed by the fixed version. Under such circumstances
8b0cefbb 418the \fBpkcs12\fR utility will report that the \s-1MAC\s0 is \s-1OK\s0 but fail with a decryption
984263bc
MD
419error when extracting private keys.
420.PP
421This problem can be resolved by extracting the private keys and certificates
422from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12
423file from the keys and certificates using a newer version of OpenSSL. For example:
424.PP
425.Vb 2
e257b235
PA
426\& old\-openssl \-in bad.p12 \-out keycerts.pem
427\& openssl \-in keycerts.pem \-export \-name "My PKCS#12 file" \-out fixed.p12
984263bc
MD
428.Ve
429.SH "SEE ALSO"
e3cdf75b 430.IX Header "SEE ALSO"
8b0cefbb 431\&\fIpkcs8\fR\|(1)