Lines Matching +full:input +full:- +full:only
18 .\" Set up some character translations and predefined strings. \*(-- will
24 .tr \(*W-
27 . ds -- \(*W-
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
37 . ds -- \|\(em\|
71 .\" Fear. Run. Save yourself. No user-serviceable parts.
81 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 . \" troff and (daisy-wheel) nroff accents
123 . ds d- d\h'-1'\(ga
124 . ds D- D\h'-1'\(hy
133 .IX Title "OPENSSL-PKCS12 1ossl"
134 .TH OPENSSL-PKCS12 1ossl "2023-09-22" "3.0.11" "OpenSSL"
140 openssl\-pkcs12 \- PKCS#12 file command
144 [\fB\-help\fR]
145 [\fB\-passin\fR \fIarg\fR]
146 [\fB\-passout\fR \fIarg\fR]
147 [\fB\-password\fR \fIarg\fR]
148 [\fB\-twopass\fR]
149 [\fB\-in\fR \fIfilename\fR|\fIuri\fR]
150 [\fB\-out\fR \fIfilename\fR]
151 [\fB\-nokeys\fR]
152 [\fB\-nocerts\fR]
153 [\fB\-noout\fR]
154 [\fB\-legacy\fR]
155 [\fB\-engine\fR \fIid\fR]
156 [\fB\-provider\fR \fIname\fR]
157 [\fB\-provider\-path\fR \fIpath\fR]
158 [\fB\-propquery\fR \fIpropq\fR]
159 [\fB\-rand\fR \fIfiles\fR]
160 [\fB\-writerand\fR \fIfile\fR]
162 PKCS#12 input (parsing) options:
163 [\fB\-info\fR]
164 [\fB\-nomacver\fR]
165 [\fB\-clcerts\fR]
166 [\fB\-cacerts\fR]
168 [\fB\-aes128\fR]
169 [\fB\-aes192\fR]
170 [\fB\-aes256\fR]
171 [\fB\-aria128\fR]
172 [\fB\-aria192\fR]
173 [\fB\-aria256\fR]
174 [\fB\-camellia128\fR]
175 [\fB\-camellia192\fR]
176 [\fB\-camellia256\fR]
177 [\fB\-des\fR]
178 [\fB\-des3\fR]
179 [\fB\-idea\fR]
180 [\fB\-noenc\fR]
181 [\fB\-nodes\fR]
185 [\fB\-export\fR]
186 [\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
187 [\fB\-certfile\fR \fIfilename\fR]
188 [\fB\-passcerts\fR \fIarg\fR]
189 [\fB\-chain\fR]
190 [\fB\-untrusted\fR \fIfilename\fR]
191 [\fB\-CAfile\fR \fIfile\fR]
192 [\fB\-no\-CAfile\fR]
193 [\fB\-CApath\fR \fIdir\fR]
194 [\fB\-no\-CApath\fR]
195 [\fB\-CAstore\fR \fIuri\fR]
196 [\fB\-no\-CAstore\fR]
197 [\fB\-name\fR \fIname\fR]
198 [\fB\-caname\fR \fIname\fR]
199 [\fB\-CSP\fR \fIname\fR]
200 [\fB\-LMK\fR]
201 [\fB\-keyex\fR]
202 [\fB\-keysig\fR]
203 [\fB\-keypbe\fR \fIcipher\fR]
204 [\fB\-certpbe\fR \fIcipher\fR]
205 [\fB\-descert\fR]
206 [\fB\-macalg\fR \fIdigest\fR]
207 [\fB\-iter\fR \fIcount\fR]
208 [\fB\-noiter\fR]
209 [\fB\-nomaciter\fR]
210 [\fB\-maciter\fR]
211 [\fB\-nomac\fR]
215 \&\s-1PFX\s0 files) to be created and parsed. PKCS#12 files are used by several
216 programs including Netscape, \s-1MSIE\s0 and \s-1MS\s0 Outlook.
221 A PKCS#12 file can be created by using the \fB\-export\fR option (see below).
222 The PKCS#12 export encryption and \s-1MAC\s0 options such as \fB\-certpbe\fR and \fB\-iter\fR
223 and many further options such as \fB\-chain\fR are relevant only with \fB\-export\fR.
225 PKCS#12 input are relevant only when the \fB\-export\fR option is not given.
227 The default encryption algorithm is \s-1AES\-256\-CBC\s0 with \s-1PBKDF2\s0 for key derivation.
230 for example, \s-1RC2\-40\-CBC,\s0
231 try using the \fB\-legacy\fR option and, if needed, the \fB\-provider\-path\fR option.
232 .IP "\fB\-help\fR" 4
233 .IX Item "-help"
235 .IP "\fB\-passin\fR \fIarg\fR" 4
236 .IX Item "-passin arg"
237 The password source for the input, and for encrypting any private keys that
240 see \fBopenssl\-passphrase\-options\fR\|(1).
241 .IP "\fB\-passout\fR \fIarg\fR" 4
242 .IX Item "-passout arg"
244 .IP "\fB\-password\fR \fIarg\fR" 4
245 .IX Item "-password arg"
246 With \fB\-export\fR, \fB\-password\fR is equivalent to \fB\-passout\fR,
247 otherwise it is equivalent to \fB\-passin\fR.
248 .IP "\fB\-twopass\fR" 4
249 .IX Item "-twopass"
253 \&\fB\-password\fR, \fB\-passin\fR if importing from PKCS#12, or \fB\-passout\fR if exporting.
254 .IP "\fB\-nokeys\fR" 4
255 .IX Item "-nokeys"
257 .IP "\fB\-nocerts\fR" 4
258 .IX Item "-nocerts"
260 .IP "\fB\-noout\fR" 4
261 .IX Item "-noout"
263 and so the input is just verified.
264 .IP "\fB\-legacy\fR" 4
265 .IX Item "-legacy"
267 If OpenSSL is not installed system-wide,
268 it is necessary to also use, for example, \f(CW\*(C`\-provider\-path ./providers\*(C'\fR
269 or to set the environment variable \fB\s-1OPENSSL_MODULES\s0\fR
273 is \s-1RC2_CBC\s0 or 3DES_CBC depending on whether the \s-1RC2\s0 cipher is enabled
277 \&\s-1AES_256_CBC\s0 with \s-1PBKDF2\s0 for key derivation.
278 .IP "\fB\-engine\fR \fIid\fR" 4
279 .IX Item "-engine id"
282 .IP "\fB\-provider\fR \fIname\fR" 4
283 .IX Item "-provider name"
285 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
286 .IX Item "-provider-path path"
287 .IP "\fB\-propquery\fR \fIpropq\fR" 4
288 .IX Item "-propquery propq"
291 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
292 .IX Item "-rand files, -writerand file"
294 .SS "PKCS#12 input (parsing) options"
295 .IX Subsection "PKCS#12 input (parsing) options"
296 .IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
297 .IX Item "-in filename|uri"
298 This specifies the input filename or \s-1URI.\s0
299 Standard input is used by default.
300 Without the \fB\-export\fR option this must be PKCS#12 file to be parsed.
301 For use with the \fB\-export\fR option
303 .IP "\fB\-out\fR \fIfilename\fR" 4
304 .IX Item "-out filename"
306 default. They are all written in \s-1PEM\s0 format.
307 .IP "\fB\-info\fR" 4
308 .IX Item "-info"
311 .IP "\fB\-nomacver\fR" 4
312 .IX Item "-nomacver"
313 Don't attempt to verify the integrity \s-1MAC.\s0
314 .IP "\fB\-clcerts\fR" 4
315 .IX Item "-clcerts"
316 Only output client certificates (not \s-1CA\s0 certificates).
317 .IP "\fB\-cacerts\fR" 4
318 .IX Item "-cacerts"
319 Only output \s-1CA\s0 certificates (not client certificates).
320 .IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR" 4
321 .IX Item "-aes128, -aes192, -aes256"
322 Use \s-1AES\s0 to encrypt private keys before outputting.
323 .IP "\fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR" 4
324 .IX Item "-aria128, -aria192, -aria256"
325 Use \s-1ARIA\s0 to encrypt private keys before outputting.
326 .IP "\fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR" 4
327 .IX Item "-camellia128, -camellia192, -camellia256"
329 .IP "\fB\-des\fR" 4
330 .IX Item "-des"
331 Use \s-1DES\s0 to encrypt private keys before outputting.
332 .IP "\fB\-des3\fR" 4
333 .IX Item "-des3"
334 Use triple \s-1DES\s0 to encrypt private keys before outputting.
335 .IP "\fB\-idea\fR" 4
336 .IX Item "-idea"
337 Use \s-1IDEA\s0 to encrypt private keys before outputting.
338 .IP "\fB\-noenc\fR" 4
339 .IX Item "-noenc"
341 .IP "\fB\-nodes\fR" 4
342 .IX Item "-nodes"
343 This option is deprecated since OpenSSL 3.0; use \fB\-noenc\fR instead.
346 .IP "\fB\-export\fR" 4
347 .IX Item "-export"
350 .IP "\fB\-out\fR \fIfilename\fR" 4
351 .IX Item "-out filename"
354 .IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
355 .IX Item "-in filename|uri"
356 This specifies the input filename or \s-1URI.\s0
357 Standard input is used by default.
358 With the \fB\-export\fR option this is a file with certificates and a key,
359 or a \s-1URI\s0 that refers to a key accessed via an engine.
363 .IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
364 .IX Item "-inkey filename|uri"
365 The private key input for \s-1PKCS12\s0 output.
366 If this option is not specified then the input file (\fB\-in\fR argument) must
369 If the \fB\-engine\fR option is used or the \s-1URI\s0 has prefix \f(CW\*(C`org.openssl.engine:\*(C…
370 then the rest of the \s-1URI\s0 is taken as key identifier for the given engine.
371 .IP "\fB\-certfile\fR \fIfilename\fR" 4
372 .IX Item "-certfile filename"
373 An input file with extra certificates to be added to the PKCS#12 output
374 if the \fB\-export\fR option is given.
375 .IP "\fB\-passcerts\fR \fIarg\fR" 4
376 .IX Item "-passcerts arg"
377 The password source for certificate input such as \fB\-certfile\fR
378 and \fB\-untrusted\fR.
380 \&\fBopenssl\-passphrase\-options\fR\|(1).
381 .IP "\fB\-chain\fR" 4
382 .IX Item "-chain"
385 The end entity certificate is the first one read from the \fB\-in\fR file
387 The standard \s-1CA\s0 trust store is used for chain building,
388 as well as any untrusted \s-1CA\s0 certificates given with the \fB\-untrusted\fR option.
389 .IP "\fB\-untrusted\fR \fIfilename\fR" 4
390 .IX Item "-untrusted filename"
391 An input file of untrusted certificates that may be used
392 for chain building, which is relevant only when a PKCS#12 file is created
393 with the \fB\-export\fR option and the \fB\-chain\fR option is given as well.
395 .IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \…
396 .IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
397 See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
398 .IP "\fB\-name\fR \fIfriendlyname\fR" 4
399 .IX Item "-name friendlyname"
402 .IP "\fB\-caname\fR \fIfriendlyname\fR" 4
403 .IX Item "-caname friendlyname"
406 appear. Netscape ignores friendly names on other certificates whereas \s-1MSIE\s0
408 .IP "\fB\-CSP\fR \fIname\fR" 4
409 .IX Item "-CSP name"
410 Write \fIname\fR as a Microsoft \s-1CSP\s0 name.
411 The password source for the input, and for encrypting any private keys that
414 see \fBopenssl\-passphrase\-options\fR\|(1).
415 .IP "\fB\-LMK\fR" 4
416 .IX Item "-LMK"
418 .IP "\fB\-keyex\fR|\fB\-keysig\fR" 4
419 .IX Item "-keyex|-keysig"
421 This option is only interpreted by \s-1MSIE\s0 and similar \s-1MS\s0 software. Normally
422 \&\*(L"export grade\*(R" software will only allow 512 bit \s-1RSA\s0 keys to be used for
423 encryption purposes but arbitrary length keys for signing. The \fB\-keysig\fR
424 option marks the key for signing only. Signing only keys can be used for
425 S/MIME signing, authenticode (ActiveX control signing) and \s-1SSL\s0 client
426 authentication, however, due to a bug only \s-1MSIE 5.0\s0 and later support
427 the use of signing only keys for \s-1SSL\s0 client authentication.
428 .IP "\fB\-keypbe\fR \fIalg\fR, \fB\-certpbe\fR \fIalg\fR" 4
429 .IX Item "-keypbe alg, -certpbe alg"
431 certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 \s-1PBE\s0 algorithm name
432 can be used (see \*(L"\s-1NOTES\*(R"\s0 section for more information). If a cipher name
433 (as output by \f(CW\*(C`openssl list \-cipher\-algorithms\*(C'\fR) is specified then it
434 is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
438 .IP "\fB\-descert\fR" 4
439 .IX Item "-descert"
440 Encrypt the certificates using triple \s-1DES.\s0 By default the private
441 key and the certificates are encrypted using \s-1AES\-256\-CBC\s0 unless
442 the '\-legacy' option is used. If '\-descert' is used with the '\-legacy'
443 then both, the private key and the certificates are encrypted using triple \s-1DES.\s0
444 .IP "\fB\-macalg\fR \fIdigest\fR" 4
445 .IX Item "-macalg digest"
446 Specify the \s-1MAC\s0 digest algorithm. If not included \s-1SHA256\s0 will be used.
447 .IP "\fB\-iter\fR \fIcount\fR" 4
448 .IX Item "-iter count"
449 This option specifies the iteration count for the encryption key and \s-1MAC.\s0 The
455 down. The \s-1MAC\s0 is used to check the file integrity but since it will normally
457 .IP "\fB\-noiter\fR, \fB\-nomaciter\fR" 4
458 .IX Item "-noiter, -nomaciter"
459 By default both encryption and \s-1MAC\s0 iteration counts are set to 2048, using
460 these options the \s-1MAC\s0 and encryption iteration counts can be set to 1, since
462 really have to. Most software supports both \s-1MAC\s0 and encryption iteration counts.
463 \&\s-1MSIE 4.0\s0 doesn't support \s-1MAC\s0 iteration counts so it needs the \fB\-nomaciter\fR
465 .IP "\fB\-maciter\fR" 4
466 .IX Item "-maciter"
468 to be needed to use \s-1MAC\s0 iterations counts but they are now used by default.
469 .IP "\fB\-nomac\fR" 4
470 .IX Item "-nomac"
471 Do not attempt to provide the \s-1MAC\s0 integrity. This can be useful with the \s-1FIPS\s0
472 provider as the \s-1PKCS12 MAC\s0 requires \s-1PKCS12KDF\s0 which is not an approved \s-1FIPS\s0
473 algorithm and cannot be supported by the \s-1FIPS\s0 provider.
477 used. For PKCS#12 file parsing only \fB\-in\fR and \fB\-out\fR need to be used
478 for PKCS#12 file creation \fB\-export\fR and \fB\-name\fR are also used.
480 If none of the \fB\-clcerts\fR, \fB\-cacerts\fR or \fB\-nocerts\fR options are present
481 then all certificates will be output in the order they appear in the input
487 Using the \fB\-clcerts\fR option will solve this problem by only
488 outputting the certificate corresponding to the private key. If the \s-1CA\s0
490 the \fB\-nokeys\fR \fB\-cacerts\fR options to just output \s-1CA\s0 certificates.
492 The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption
494 the defaults are fine but occasionally software can't handle triple \s-1DES\s0
495 encrypted private keys, then the option \fB\-keypbe\fR \fI\s-1PBE\-SHA1\-RC2\-40\s0\fR can
496 be used to reduce the private key encryption to 40 bit \s-1RC2. A\s0 complete
497 description of all algorithms is contained in \fBopenssl\-pkcs8\fR\|(1).
499 Prior 1.1 release passwords containing non-ASCII characters were encoded
500 in non-compliant manner, which limited interoperability, in first hand
501 with Windows. But switching to standard-compliant password encoding
506 MT-safe, its sole goal is to facilitate the data upgrade with this
510 Parse a PKCS#12 file and output it to a \s-1PEM\s0 file:
513 \& openssl pkcs12 \-in file.p12 \-out file.pem
516 Output only client certificates to a file:
519 \& openssl pkcs12 \-in file.p12 \-clcerts \-out file.pem
525 \& openssl pkcs12 \-in file.p12 \-out file.pem \-noenc
531 \& openssl pkcs12 \-in file.p12 \-info \-noout
537 \& openssl pkcs12 \-in file.p12 \-info \-noout \-legacy
540 Create a PKCS#12 file from a \s-1PEM\s0 file that may contain a key and certificates:
543 \& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My PSE"
549 \& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My PSE" \e
550 \& \-certfile othercerts.pem
553 Export a PKCS#12 file with data from a certificate \s-1PEM\s0 file and from a further
554 \&\s-1PEM\s0 file containing a key, with default algorithms as in the legacy provider:
557 \& openssl pkcs12 \-export \-in cert.pem \-inkey key.pem \-out file.p12 \-legacy
562 \&\fBopenssl\-pkcs8\fR\|(1),
563 \&\fBossl_store\-file\fR\|(7)
566 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
567 The \fB\-nodes\fR option was deprecated in OpenSSL 3.0, too; use \fB\-noenc\fR instead.
570 Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
574 in the file \s-1LICENSE\s0 in the source distribution or at