openssl-pkcs12.pod.in - OpenGrok cross reference for /freebsd/crypto/openssl/doc/man1/openssl-pkcs12.pod.in

Lines Matching +full:input +full:- +full:only
2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-pkcs12 - PKCS#12 file command
11 [B<-help>]
12 [B<-passin> I<arg>]
13 [B<-passout> I<arg>]
14 [B<-password> I<arg>]
15 [B<-twopass>]
16 [B<-in> I<filename>|I<uri>]
17 [B<-out> I<filename>]
18 [B<-nokeys>]
19 [B<-nocerts>]
20 [B<-noout>]
21 [B<-legacy>]
22 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
23 {- $OpenSSL::safe::opt_r_synopsis -}
25 PKCS#12 input (parsing) options:
26 [B<-info>]
27 [B<-nomacver>]
28 [B<-clcerts>]
29 [B<-cacerts>]
31 [B<-aes128>]
32 [B<-aes192>]
33 [B<-aes256>]
34 [B<-aria128>]
35 [B<-aria192>]
36 [B<-aria256>]
37 [B<-camellia128>]
38 [B<-camellia192>]
39 [B<-camellia256>]
40 [B<-des>]
41 [B<-des3>]
42 [B<-idea>]
43 [B<-noenc>]
44 [B<-nodes>]
48 [B<-export>]
49 [B<-inkey> I<filename>|I<uri>]
50 [B<-certfile> I<filename>]
51 [B<-passcerts> I<arg>]
52 [B<-chain>]
53 [B<-untrusted> I<filename>]
54 {- $OpenSSL::safe::opt_trust_synopsis -}
55 [B<-name> I<name>]
56 [B<-caname> I<name>]
57 [B<-CSP> I<name>]
58 [B<-LMK>]
59 [B<-keyex>]
60 [B<-keysig>]
61 [B<-keypbe> I<cipher>]
62 [B<-certpbe> I<cipher>]
63 [B<-descert>]
64 [B<-macalg> I<digest>]
65 [B<-iter> I<count>]
66 [B<-noiter>]
67 [B<-nomaciter>]
68 [B<-maciter>]
69 [B<-nomac>]
81 A PKCS#12 file can be created by using the B<-export> option (see below).
82 The PKCS#12 export encryption and MAC options such as B<-certpbe> and B<-iter>
83 and many further options such as B<-chain> are relevant only with B<-export>.
85 PKCS#12 input are relevant only when the B<-export> option is not given.
87 The default encryption algorithm is AES-256-CBC with PBKDF2 for key derivation.
90 for example, RC2-40-CBC,
91 try using the B<-legacy> option and, if needed, the B<-provider-path> option.
95 =item B<-help>
99 =item B<-passin> I<arg>
101 The password source for the input, and for encrypting any private keys that
104 see L<openssl-passphrase-options(1)>.
106 =item B<-passout> I<arg>
110 =item B<-password> I<arg>
112 With B<-export>, B<-password> is equivalent to B<-passout>,
113 otherwise it is equivalent to B<-passin>.
115 =item B<-twopass>
120 B<-password>, B<-passin> if importing from PKCS#12, or B<-passout> if exporting.
122 =item B<-nokeys>
126 =item B<-nocerts>
130 =item B<-noout>
133 and so the input is just verified.
135 =item B<-legacy>
138 If OpenSSL is not installed system-wide,
139 it is necessary to also use, for example, C<-provider-path ./providers>
150 {- $OpenSSL::safe::opt_engine_item -}
152 {- $OpenSSL::safe::opt_provider_item -}
154 {- $OpenSSL::safe::opt_r_item -}
158 =head2 PKCS#12 input (parsing) options
162 =item B<-in> I<filename>|I<uri>
164 This specifies the input filename or URI.
165 Standard input is used by default.
166 Without the B<-export> option this must be PKCS#12 file to be parsed.
167 For use with the B<-export> option
170 =item B<-out> I<filename>
175 =item B<-info>
180 =item B<-nomacver>
184 =item B<-clcerts>
186 Only output client certificates (not CA certificates).
188 =item B<-cacerts>
190 Only output CA certificates (not client certificates).
192 =item B<-aes128>, B<-aes192>, B<-aes256>
196 =item B<-aria128>, B<-aria192>, B<-aria256>
200 =item B<-camellia128>, B<-camellia192>, B<-camellia256>
204 =item B<-des>
208 =item B<-des3>
212 =item B<-idea>
216 =item B<-noenc>
220 =item B<-nodes>
222 This option is deprecated since OpenSSL 3.0; use B<-noenc> instead.
230 =item B<-export>
235 =item B<-out> I<filename>
240 =item B<-in> I<filename>|I<uri>
242 This specifies the input filename or URI.
243 Standard input is used by default.
244 With the B<-export> option this is a file with certificates and a key,
250 =item B<-inkey> I<filename>|I<uri>
252 The private key input for PKCS12 output.
253 If this option is not specified then the input file (B<-in> argument) must
256 If the B<-engine> option is used or the URI has prefix C<org.openssl.engine:>
259 =item B<-certfile> I<filename>
261 An input file with extra certificates to be added to the PKCS#12 output
262 if the B<-export> option is given.
264 =item B<-passcerts> I<arg>
266 The password source for certificate input such as B<-certfile>
267 and B<-untrusted>.
269 L<openssl-passphrase-options(1)>.
271 =item B<-chain>
275 The end entity certificate is the first one read from the B<-in> file
278 as well as any untrusted CA certificates given with the B<-untrusted> option.
280 =item B<-untrusted> I<filename>
282 An input file of untrusted certificates that may be used
283 for chain building, which is relevant only when a PKCS#12 file is created
284 with the B<-export> option and the B<-chain> option is given as well.
287 {- $OpenSSL::safe::opt_trust_item -}
289 =item B<-name> I<friendlyname>
294 =item B<-caname> I<friendlyname>
301 =item B<-CSP> I<name>
304 The password source for the input, and for encrypting any private keys that
307 see L<openssl-passphrase-options(1)>.
309 =item B<-LMK>
313 =item B<-keyex>|B<-keysig>
316 This option is only interpreted by MSIE and similar MS software. Normally
317 "export grade" software will only allow 512 bit RSA keys to be used for
318 encryption purposes but arbitrary length keys for signing. The B<-keysig>
319 option marks the key for signing only. Signing only keys can be used for
321 authentication, however, due to a bug only MSIE 5.0 and later support
322 the use of signing only keys for SSL client authentication.
324 =item B<-keypbe> I<alg>, B<-certpbe> I<alg>
329 (as output by C<openssl list -cipher-algorithms>) is specified then it
330 is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
335 =item B<-descert>
338 key and the certificates are encrypted using AES-256-CBC unless
339 the '-legacy' option is used. If '-descert' is used with the '-legacy'
342 =item B<-macalg> I<digest>
346 =item B<-iter> I<count>
357 =item B<-noiter>, B<-nomaciter>
363 MSIE 4.0 doesn't support MAC iteration counts so it needs the B<-nomaciter>
366 =item B<-maciter>
371 =item B<-nomac>
382 used. For PKCS#12 file parsing only B<-in> and B<-out> need to be used
383 for PKCS#12 file creation B<-export> and B<-name> are also used.
385 If none of the B<-clcerts>, B<-cacerts> or B<-nocerts> options are present
386 then all certificates will be output in the order they appear in the input
392 Using the B<-clcerts> option will solve this problem by only
395 the B<-nokeys> B<-cacerts> options to just output CA certificates.
397 The B<-keypbe> and B<-certpbe> algorithms allow the precise encryption
400 encrypted private keys, then the option B<-keypbe> I<PBE-SHA1-RC2-40> can
402 description of all algorithms is contained in L<openssl-pkcs8(1)>.
404 Prior 1.1 release passwords containing non-ASCII characters were encoded
405 in non-compliant manner, which limited interoperability, in first hand
406 with Windows. But switching to standard-compliant password encoding
411 MT-safe, its sole goal is to facilitate the data upgrade with this
418  openssl pkcs12 -in file.p12 -out file.pem
420 Output only client certificates to a file:
422  openssl pkcs12 -in file.p12 -clcerts -out file.pem
426  openssl pkcs12 -in file.p12 -out file.pem -noenc
430  openssl pkcs12 -in file.p12 -info -noout
434  openssl pkcs12 -in file.p12 -info -noout -legacy
438  openssl pkcs12 -export -in file.pem -out file.p12 -name "My PSE"
442  openssl pkcs12 -export -in file.pem -out file.p12 -name "My PSE" \
443   -certfile othercerts.pem
448  openssl pkcs12 -export -in cert.pem -inkey key.pem -out file.p12 -legacy
453 L<openssl-pkcs8(1)>,
454 L<ossl_store-file(7)>
458 The B<-engine> option was deprecated in OpenSSL 3.0.
459 The B<-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead.
463 Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.