Update files for OpenSSL-1.0.0f import.
[dragonfly.git] / secure / usr.bin / openssl / man / pkcs12.1
CommitLineData
e3261593 1.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.19)
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
8b0cefbb 5.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
6.if t .sp .5v
7.if n .sp
8..
8b0cefbb 9.de Vb \" Begin verbatim text
984263bc
MD
10.ft CW
11.nf
12.ne \\$1
13..
8b0cefbb 14.de Ve \" End verbatim text
984263bc 15.ft R
984263bc
MD
16.fi
17..
8b0cefbb
JR
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
8b0cefbb 25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 26.ie n \{\
8b0cefbb
JR
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
984263bc
MD
35'br\}
36.el\{\
8b0cefbb
JR
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
984263bc 41'br\}
8b0cefbb 42.\"
e257b235
PA
43.\" Escape single quotes in literal strings from groff's Unicode transform.
44.ie \n(.g .ds Aq \(aq
45.el .ds Aq '
46.\"
8b0cefbb 47.\" If the F register is turned on, we'll generate index entries on stderr for
01185282 48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
8b0cefbb
JR
49.\" entries marked with X<> in POD. Of course, you'll have to process the
50.\" output yourself in some meaningful fashion.
e257b235 51.ie \nF \{\
8b0cefbb
JR
52. de IX
53. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 54..
8b0cefbb
JR
55. nr % 0
56. rr F
984263bc 57.\}
e257b235
PA
58.el \{\
59. de IX
60..
61.\}
aac4ff6f 62.\"
8b0cefbb
JR
63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
64.\" Fear. Run. Save yourself. No user-serviceable parts.
65. \" fudge factors for nroff and troff
984263bc 66.if n \{\
8b0cefbb
JR
67. ds #H 0
68. ds #V .8m
69. ds #F .3m
70. ds #[ \f1
71. ds #] \fP
984263bc
MD
72.\}
73.if t \{\
8b0cefbb
JR
74. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
75. ds #V .6m
76. ds #F 0
77. ds #[ \&
78. ds #] \&
984263bc 79.\}
8b0cefbb 80. \" simple accents for nroff and troff
984263bc 81.if n \{\
8b0cefbb
JR
82. ds ' \&
83. ds ` \&
84. ds ^ \&
85. ds , \&
86. ds ~ ~
87. ds /
984263bc
MD
88.\}
89.if t \{\
8b0cefbb
JR
90. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
91. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
92. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
93. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
94. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
95. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 96.\}
8b0cefbb 97. \" troff and (daisy-wheel) nroff accents
984263bc
MD
98.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
99.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
100.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
101.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
102.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
103.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
104.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
105.ds ae a\h'-(\w'a'u*4/10)'e
106.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 107. \" corrections for vroff
984263bc
MD
108.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
109.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 110. \" for low resolution devices (crt and lpr)
984263bc
MD
111.if \n(.H>23 .if \n(.V>19 \
112\{\
8b0cefbb
JR
113. ds : e
114. ds 8 ss
115. ds o a
116. ds d- d\h'-1'\(ga
117. ds D- D\h'-1'\(hy
118. ds th \o'bp'
119. ds Th \o'LP'
120. ds ae ae
121. ds Ae AE
984263bc
MD
122.\}
123.rm #[ #] #H #V #F C
8b0cefbb
JR
124.\" ========================================================================
125.\"
126.IX Title "PKCS12 1"
e3261593 127.TH PKCS12 1 "2012-01-04" "1.0.0f" "OpenSSL"
e257b235
PA
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
984263bc
MD
132.SH "NAME"
133pkcs12 \- PKCS#12 file utility
134.SH "SYNOPSIS"
8b0cefbb
JR
135.IX Header "SYNOPSIS"
136\&\fBopenssl\fR \fBpkcs12\fR
984263bc
MD
137[\fB\-export\fR]
138[\fB\-chain\fR]
139[\fB\-inkey filename\fR]
140[\fB\-certfile filename\fR]
141[\fB\-name name\fR]
142[\fB\-caname name\fR]
143[\fB\-in filename\fR]
144[\fB\-out filename\fR]
145[\fB\-noout\fR]
146[\fB\-nomacver\fR]
147[\fB\-nocerts\fR]
148[\fB\-clcerts\fR]
149[\fB\-cacerts\fR]
150[\fB\-nokeys\fR]
151[\fB\-info\fR]
01185282 152[\fB\-des | \-des3 | \-idea | \-aes128 | \-aes192 | \-aes256 | \-camellia128 | \-camellia192 | \-camellia256 | \-nodes\fR]
984263bc 153[\fB\-noiter\fR]
01185282 154[\fB\-maciter | \-nomaciter | \-nomac\fR]
984263bc
MD
155[\fB\-twopass\fR]
156[\fB\-descert\fR]
01185282
PA
157[\fB\-certpbe cipher\fR]
158[\fB\-keypbe cipher\fR]
159[\fB\-macalg digest\fR]
984263bc
MD
160[\fB\-keyex\fR]
161[\fB\-keysig\fR]
162[\fB\-password arg\fR]
163[\fB\-passin arg\fR]
164[\fB\-passout arg\fR]
e3cdf75b 165[\fB\-rand file(s)\fR]
01185282
PA
166[\fB\-CAfile file\fR]
167[\fB\-CApath dir\fR]
168[\fB\-CSP name\fR]
984263bc 169.SH "DESCRIPTION"
8b0cefbb 170.IX Header "DESCRIPTION"
984263bc 171The \fBpkcs12\fR command allows PKCS#12 files (sometimes referred to as
8b0cefbb
JR
172\&\s-1PFX\s0 files) to be created and parsed. PKCS#12 files are used by several
173programs including Netscape, \s-1MSIE\s0 and \s-1MS\s0 Outlook.
984263bc 174.SH "COMMAND OPTIONS"
8b0cefbb 175.IX Header "COMMAND OPTIONS"
984263bc 176There are a lot of options the meaning of some depends of whether a PKCS#12 file
01185282 177is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12
984263bc
MD
178file can be created by using the \fB\-export\fR option (see below).
179.SH "PARSING OPTIONS"
8b0cefbb
JR
180.IX Header "PARSING OPTIONS"
181.IP "\fB\-in filename\fR" 4
182.IX Item "-in filename"
183This specifies filename of the PKCS#12 file to be parsed. Standard input is used
984263bc 184by default.
8b0cefbb
JR
185.IP "\fB\-out filename\fR" 4
186.IX Item "-out filename"
01185282
PA
187The filename to write certificates and private keys to, standard output by
188default. They are all written in \s-1PEM\s0 format.
8b0cefbb
JR
189.IP "\fB\-pass arg\fR, \fB\-passin arg\fR" 4
190.IX Item "-pass arg, -passin arg"
01185282
PA
191the PKCS#12 file (i.e. input file) password source. For more information about
192the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
8b0cefbb
JR
193\&\fIopenssl\fR\|(1).
194.IP "\fB\-passout arg\fR" 4
195.IX Item "-passout arg"
01185282
PA
196pass phrase source to encrypt any outputed private keys with. For more
197information about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section
198in \fIopenssl\fR\|(1).
8b0cefbb
JR
199.IP "\fB\-noout\fR" 4
200.IX Item "-noout"
01185282
PA
201this option inhibits output of the keys and certificates to the output file
202version of the PKCS#12 file.
8b0cefbb
JR
203.IP "\fB\-clcerts\fR" 4
204.IX Item "-clcerts"
984263bc 205only output client certificates (not \s-1CA\s0 certificates).
8b0cefbb
JR
206.IP "\fB\-cacerts\fR" 4
207.IX Item "-cacerts"
984263bc 208only output \s-1CA\s0 certificates (not client certificates).
8b0cefbb
JR
209.IP "\fB\-nocerts\fR" 4
210.IX Item "-nocerts"
984263bc 211no certificates at all will be output.
8b0cefbb
JR
212.IP "\fB\-nokeys\fR" 4
213.IX Item "-nokeys"
984263bc 214no private keys will be output.
8b0cefbb
JR
215.IP "\fB\-info\fR" 4
216.IX Item "-info"
217output additional information about the PKCS#12 file structure, algorithms used and
984263bc 218iteration counts.
8b0cefbb
JR
219.IP "\fB\-des\fR" 4
220.IX Item "-des"
984263bc 221use \s-1DES\s0 to encrypt private keys before outputting.
8b0cefbb
JR
222.IP "\fB\-des3\fR" 4
223.IX Item "-des3"
984263bc 224use triple \s-1DES\s0 to encrypt private keys before outputting, this is the default.
8b0cefbb
JR
225.IP "\fB\-idea\fR" 4
226.IX Item "-idea"
984263bc 227use \s-1IDEA\s0 to encrypt private keys before outputting.
01185282
PA
228.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR" 4
229.IX Item "-aes128, -aes192, -aes256"
230use \s-1AES\s0 to encrypt private keys before outputting.
231.IP "\fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR" 4
232.IX Item "-camellia128, -camellia192, -camellia256"
233use Camellia to encrypt private keys before outputting.
8b0cefbb
JR
234.IP "\fB\-nodes\fR" 4
235.IX Item "-nodes"
984263bc 236don't encrypt the private keys at all.
8b0cefbb
JR
237.IP "\fB\-nomacver\fR" 4
238.IX Item "-nomacver"
984263bc 239don't attempt to verify the integrity \s-1MAC\s0 before reading the file.
8b0cefbb
JR
240.IP "\fB\-twopass\fR" 4
241.IX Item "-twopass"
984263bc
MD
242prompt for separate integrity and encryption passwords: most software
243always assumes these are the same so this option will render such
8b0cefbb 244PKCS#12 files unreadable.
984263bc 245.SH "FILE CREATION OPTIONS"
8b0cefbb
JR
246.IX Header "FILE CREATION OPTIONS"
247.IP "\fB\-export\fR" 4
248.IX Item "-export"
249This option specifies that a PKCS#12 file will be created rather than
984263bc 250parsed.
8b0cefbb
JR
251.IP "\fB\-out filename\fR" 4
252.IX Item "-out filename"
253This specifies filename to write the PKCS#12 file to. Standard output is used
984263bc 254by default.
8b0cefbb
JR
255.IP "\fB\-in filename\fR" 4
256.IX Item "-in filename"
01185282
PA
257The filename to read certificates and private keys from, standard input by
258default. They must all be in \s-1PEM\s0 format. The order doesn't matter but one
259private key and its corresponding certificate should be present. If additional
260certificates are present they will also be included in the PKCS#12 file.
8b0cefbb
JR
261.IP "\fB\-inkey filename\fR" 4
262.IX Item "-inkey filename"
984263bc
MD
263file to read private key from. If not present then a private key must be present
264in the input file.
8b0cefbb
JR
265.IP "\fB\-name friendlyname\fR" 4
266.IX Item "-name friendlyname"
01185282
PA
267This specifies the \*(L"friendly name\*(R" for the certificate and private key. This
268name is typically displayed in list boxes by software importing the file.
8b0cefbb
JR
269.IP "\fB\-certfile filename\fR" 4
270.IX Item "-certfile filename"
984263bc 271A filename to read additional certificates from.
8b0cefbb
JR
272.IP "\fB\-caname friendlyname\fR" 4
273.IX Item "-caname friendlyname"
984263bc
MD
274This specifies the \*(L"friendly name\*(R" for other certificates. This option may be
275used multiple times to specify names for all certificates in the order they
276appear. Netscape ignores friendly names on other certificates whereas \s-1MSIE\s0
277displays them.
8b0cefbb
JR
278.IP "\fB\-pass arg\fR, \fB\-passout arg\fR" 4
279.IX Item "-pass arg, -passout arg"
280the PKCS#12 file (i.e. output file) password source. For more information about
984263bc 281the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
8b0cefbb
JR
282\&\fIopenssl\fR\|(1).
283.IP "\fB\-passin password\fR" 4
284.IX Item "-passin password"
984263bc
MD
285pass phrase source to decrypt any input private keys with. For more information
286about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
8b0cefbb
JR
287\&\fIopenssl\fR\|(1).
288.IP "\fB\-chain\fR" 4
289.IX Item "-chain"
984263bc
MD
290if this option is present then an attempt is made to include the entire
291certificate chain of the user certificate. The standard \s-1CA\s0 store is used
292for this search. If the search fails it is considered a fatal error.
8b0cefbb
JR
293.IP "\fB\-descert\fR" 4
294.IX Item "-descert"
295encrypt the certificate using triple \s-1DES\s0, this may render the PKCS#12
984263bc
MD
296file unreadable by some \*(L"export grade\*(R" software. By default the private
297key is encrypted using triple \s-1DES\s0 and the certificate using 40 bit \s-1RC2\s0.
8b0cefbb
JR
298.IP "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4
299.IX Item "-keypbe alg, -certpbe alg"
984263bc 300these options allow the algorithm used to encrypt the private key and
01185282
PA
301certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 \s-1PBE\s0 algorithm name
302can be used (see \fB\s-1NOTES\s0\fR section for more information). If a a cipher name
303(as output by the \fBlist-cipher-algorithms\fR command is specified then it
304is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
305use PKCS#12 algorithms.
8b0cefbb
JR
306.IP "\fB\-keyex|\-keysig\fR" 4
307.IX Item "-keyex|-keysig"
984263bc
MD
308specifies that the private key is to be used for key exchange or just signing.
309This option is only interpreted by \s-1MSIE\s0 and similar \s-1MS\s0 software. Normally
8b0cefbb 310\&\*(L"export grade\*(R" software will only allow 512 bit \s-1RSA\s0 keys to be used for
984263bc
MD
311encryption purposes but arbitrary length keys for signing. The \fB\-keysig\fR
312option marks the key for signing only. Signing only keys can be used for
8b0cefbb 313S/MIME signing, authenticode (ActiveX control signing) and \s-1SSL\s0 client
984263bc
MD
314authentication, however due to a bug only \s-1MSIE\s0 5.0 and later support
315the use of signing only keys for \s-1SSL\s0 client authentication.
01185282
PA
316.IP "\fB\-macalg digest\fR" 4
317.IX Item "-macalg digest"
318specify the \s-1MAC\s0 digest algorithm. If not included them \s-1SHA1\s0 will be used.
8b0cefbb
JR
319.IP "\fB\-nomaciter\fR, \fB\-noiter\fR" 4
320.IX Item "-nomaciter, -noiter"
984263bc
MD
321these options affect the iteration counts on the \s-1MAC\s0 and key algorithms.
322Unless you wish to produce files compatible with \s-1MSIE\s0 4.0 you should leave
323these options alone.
324.Sp
325To discourage attacks by using large dictionaries of common passwords the
326algorithm that derives keys from passwords can have an iteration count applied
327to it: this causes a certain part of the algorithm to be repeated and slows it
328down. The \s-1MAC\s0 is used to check the file integrity but since it will normally
329have the same password as the keys and certificates it could also be attacked.
330By default both \s-1MAC\s0 and encryption iteration counts are set to 2048, using
331these options the \s-1MAC\s0 and encryption iteration counts can be set to 1, since
332this reduces the file security you should not use these options unless you
333really have to. Most software supports both \s-1MAC\s0 and key iteration counts.
8b0cefbb 334\&\s-1MSIE\s0 4.0 doesn't support \s-1MAC\s0 iteration counts so it needs the \fB\-nomaciter\fR
984263bc 335option.
8b0cefbb
JR
336.IP "\fB\-maciter\fR" 4
337.IX Item "-maciter"
984263bc
MD
338This option is included for compatibility with previous versions, it used
339to be needed to use \s-1MAC\s0 iterations counts but they are now used by default.
01185282
PA
340.IP "\fB\-nomac\fR" 4
341.IX Item "-nomac"
342don't attempt to provide the \s-1MAC\s0 integrity.
8b0cefbb
JR
343.IP "\fB\-rand file(s)\fR" 4
344.IX Item "-rand file(s)"
984263bc 345a file or files containing random data used to seed the random number
8b0cefbb
JR
346generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
347Multiple files can be specified separated by a OS-dependent character.
e257b235 348The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
984263bc 349all others.
01185282
PA
350.IP "\fB\-CAfile file\fR" 4
351.IX Item "-CAfile file"
352\&\s-1CA\s0 storage as a file.
353.IP "\fB\-CApath dir\fR" 4
354.IX Item "-CApath dir"
355\&\s-1CA\s0 storage as a directory. This directory must be a standard certificate
356directory: that is a hash of each subject name (using \fBx509 \-hash\fR) should be
357linked to each certificate.
358.IP "\fB\-CSP name\fR" 4
359.IX Item "-CSP name"
360write \fBname\fR as a Microsoft \s-1CSP\s0 name.
984263bc 361.SH "NOTES"
8b0cefbb 362.IX Header "NOTES"
984263bc
MD
363Although there are a large number of options most of them are very rarely
364used. For PKCS#12 file parsing only \fB\-in\fR and \fB\-out\fR need to be used
365for PKCS#12 file creation \fB\-export\fR and \fB\-name\fR are also used.
366.PP
367If none of the \fB\-clcerts\fR, \fB\-cacerts\fR or \fB\-nocerts\fR options are present
368then all certificates will be output in the order they appear in the input
369PKCS#12 files. There is no guarantee that the first certificate present is
370the one corresponding to the private key. Certain software which requires
371a private key and certificate and assumes the first certificate in the
372file is the one corresponding to the private key: this may not always
373be the case. Using the \fB\-clcerts\fR option will solve this problem by only
8b0cefbb 374outputting the certificate corresponding to the private key. If the \s-1CA\s0
984263bc 375certificates are required then they can be output to a separate file using
8b0cefbb 376the \fB\-nokeys \-cacerts\fR options to just output \s-1CA\s0 certificates.
984263bc
MD
377.PP
378The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption
379algorithms for private keys and certificates to be specified. Normally
8b0cefbb
JR
380the defaults are fine but occasionally software can't handle triple \s-1DES\s0
381encrypted private keys, then the option \fB\-keypbe \s-1PBE\-SHA1\-RC2\-40\s0\fR can
382be used to reduce the private key encryption to 40 bit \s-1RC2\s0. A complete
984263bc
MD
383description of all algorithms is contained in the \fBpkcs8\fR manual page.
384.SH "EXAMPLES"
8b0cefbb 385.IX Header "EXAMPLES"
984263bc
MD
386Parse a PKCS#12 file and output it to a file:
387.PP
388.Vb 1
e257b235 389\& openssl pkcs12 \-in file.p12 \-out file.pem
984263bc 390.Ve
8b0cefbb 391.PP
984263bc
MD
392Output only client certificates to a file:
393.PP
394.Vb 1
e257b235 395\& openssl pkcs12 \-in file.p12 \-clcerts \-out file.pem
984263bc 396.Ve
8b0cefbb 397.PP
984263bc 398Don't encrypt the private key:
8b0cefbb
JR
399.PP
400.Vb 1
e257b235 401\& openssl pkcs12 \-in file.p12 \-out file.pem \-nodes
8b0cefbb 402.Ve
984263bc 403.PP
984263bc
MD
404Print some info about a PKCS#12 file:
405.PP
406.Vb 1
e257b235 407\& openssl pkcs12 \-in file.p12 \-info \-noout
984263bc 408.Ve
8b0cefbb 409.PP
984263bc
MD
410Create a PKCS#12 file:
411.PP
412.Vb 1
e257b235 413\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My Certificate"
984263bc 414.Ve
8b0cefbb 415.PP
984263bc
MD
416Include some extra certificates:
417.PP
418.Vb 2
e257b235
PA
419\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My Certificate" \e
420\& \-certfile othercerts.pem
984263bc
MD
421.Ve
422.SH "BUGS"
8b0cefbb 423.IX Header "BUGS"
984263bc
MD
424Some would argue that the PKCS#12 standard is one big bug :\-)
425.PP
426Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation
427routines. Under rare circumstances this could produce a PKCS#12 file encrypted
428with an invalid key. As a result some PKCS#12 files which triggered this bug
8b0cefbb 429from other implementations (\s-1MSIE\s0 or Netscape) could not be decrypted
984263bc
MD
430by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could
431not be decrypted by other implementations. The chances of producing such
432a file are relatively small: less than 1 in 256.
433.PP
434A side effect of fixing this bug is that any old invalidly encrypted PKCS#12
435files cannot no longer be parsed by the fixed version. Under such circumstances
8b0cefbb 436the \fBpkcs12\fR utility will report that the \s-1MAC\s0 is \s-1OK\s0 but fail with a decryption
984263bc
MD
437error when extracting private keys.
438.PP
439This problem can be resolved by extracting the private keys and certificates
440from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12
441file from the keys and certificates using a newer version of OpenSSL. For example:
442.PP
443.Vb 2
e257b235
PA
444\& old\-openssl \-in bad.p12 \-out keycerts.pem
445\& openssl \-in keycerts.pem \-export \-name "My PKCS#12 file" \-out fixed.p12
984263bc
MD
446.Ve
447.SH "SEE ALSO"
e3cdf75b 448.IX Header "SEE ALSO"
8b0cefbb 449\&\fIpkcs8\fR\|(1)