Lines Matching +full:mac +full:- +full:only
1 .\" -*- mode: troff; coding: utf-8 -*-
57 .IX Title "OPENSSL-PKCS12 1ossl"
58 .TH OPENSSL-PKCS12 1ossl 2025-09-30 3.5.4 OpenSSL
64 openssl\-pkcs12 \- PKCS#12 file command
68 [\fB\-help\fR]
69 [\fB\-passin\fR \fIarg\fR]
70 [\fB\-passout\fR \fIarg\fR]
71 [\fB\-password\fR \fIarg\fR]
72 [\fB\-twopass\fR]
73 [\fB\-in\fR \fIfilename\fR|\fIuri\fR]
74 [\fB\-out\fR \fIfilename\fR]
75 [\fB\-nokeys\fR]
76 [\fB\-nocerts\fR]
77 [\fB\-noout\fR]
78 [\fB\-legacy\fR]
79 [\fB\-engine\fR \fIid\fR]
80 [\fB\-provider\fR \fIname\fR]
81 [\fB\-provider\-path\fR \fIpath\fR]
82 [\fB\-provparam\fR \fI[name:]key=value\fR]
83 [\fB\-propquery\fR \fIpropq\fR]
84 [\fB\-rand\fR \fIfiles\fR]
85 [\fB\-writerand\fR \fIfile\fR]
88 [\fB\-info\fR]
89 [\fB\-nomacver\fR]
90 [\fB\-clcerts\fR]
91 [\fB\-cacerts\fR]
93 [\fB\-aes128\fR]
94 [\fB\-aes192\fR]
95 [\fB\-aes256\fR]
96 [\fB\-aria128\fR]
97 [\fB\-aria192\fR]
98 [\fB\-aria256\fR]
99 [\fB\-camellia128\fR]
100 [\fB\-camellia192\fR]
101 [\fB\-camellia256\fR]
102 [\fB\-des\fR]
103 [\fB\-des3\fR]
104 [\fB\-idea\fR]
105 [\fB\-noenc\fR]
106 [\fB\-nodes\fR]
110 [\fB\-export\fR]
111 [\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
112 [\fB\-certfile\fR \fIfilename\fR]
113 [\fB\-passcerts\fR \fIarg\fR]
114 [\fB\-chain\fR]
115 [\fB\-untrusted\fR \fIfilename\fR]
116 [\fB\-CAfile\fR \fIfile\fR]
117 [\fB\-no\-CAfile\fR]
118 [\fB\-CApath\fR \fIdir\fR]
119 [\fB\-no\-CApath\fR]
120 [\fB\-CAstore\fR \fIuri\fR]
121 [\fB\-no\-CAstore\fR]
122 [\fB\-name\fR \fIname\fR]
123 [\fB\-caname\fR \fIname\fR]
124 [\fB\-CSP\fR \fIname\fR]
125 [\fB\-LMK\fR]
126 [\fB\-keyex\fR]
127 [\fB\-keysig\fR]
128 [\fB\-keypbe\fR \fIcipher\fR]
129 [\fB\-certpbe\fR \fIcipher\fR]
130 [\fB\-descert\fR]
131 [\fB\-macalg\fR \fIdigest\fR]
132 [\fB\-pbmac1_pbkdf2\fR]
133 [\fB\-pbmac1_pbkdf2_md\fR \fIdigest\fR]
134 [\fB\-iter\fR \fIcount\fR]
135 [\fB\-noiter\fR]
136 [\fB\-nomaciter\fR]
137 [\fB\-maciter\fR]
138 [\fB\-macsaltlen\fR]
139 [\fB\-nomac\fR]
140 [\fB\-jdktrust\fR \fIusage\fR]
150 A PKCS#12 file can be created by using the \fB\-export\fR option (see below).
151 The PKCS#12 export encryption and MAC options such as \fB\-certpbe\fR and \fB\-iter\fR
152 and many further options such as \fB\-chain\fR are relevant only with \fB\-export\fR.
154 PKCS#12 input are relevant only when the \fB\-export\fR option is not given.
156 The default encryption algorithm is AES\-256\-CBC with PBKDF2 for key derivation.
159 for example, RC2\-40\-CBC,
160 try using the \fB\-legacy\fR option and, if needed, the \fB\-provider\-path\fR option.
161 .IP \fB\-help\fR 4
162 .IX Item "-help"
164 .IP "\fB\-passin\fR \fIarg\fR" 4
165 .IX Item "-passin arg"
169 see \fBopenssl\-passphrase\-options\fR\|(1).
170 .IP "\fB\-passout\fR \fIarg\fR" 4
171 .IX Item "-passout arg"
173 .IP "\fB\-password\fR \fIarg\fR" 4
174 .IX Item "-password arg"
175 With \fB\-export\fR, \fB\-password\fR is equivalent to \fB\-passout\fR,
176 otherwise it is equivalent to \fB\-passin\fR.
177 .IP \fB\-twopass\fR 4
178 .IX Item "-twopass"
182 \&\fB\-password\fR, \fB\-passin\fR if importing from PKCS#12, or \fB\-passout\fR if exporting.
183 .IP \fB\-nokeys\fR 4
184 .IX Item "-nokeys"
186 .IP \fB\-nocerts\fR 4
187 .IX Item "-nocerts"
189 .IP \fB\-noout\fR 4
190 .IX Item "-noout"
193 .IP \fB\-legacy\fR 4
194 .IX Item "-legacy"
196 If OpenSSL is not installed system-wide,
197 it is necessary to also use, for example, \f(CW\*(C`\-provider\-path ./providers\*(C'\fR
207 .IP "\fB\-engine\fR \fIid\fR" 4
208 .IX Item "-engine id"
211 .IP "\fB\-provider\fR \fIname\fR" 4
212 .IX Item "-provider name"
214 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
215 .IX Item "-provider-path path"
216 .IP "\fB\-provparam\fR \fI[name:]key=value\fR" 4
217 .IX Item "-provparam [name:]key=value"
218 .IP "\fB\-propquery\fR \fIpropq\fR" 4
219 .IX Item "-propquery propq"
222 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
223 .IX Item "-rand files, -writerand file"
227 .IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
228 .IX Item "-in filename|uri"
231 Without the \fB\-export\fR option this must be PKCS#12 file to be parsed.
232 For use with the \fB\-export\fR option
234 .IP "\fB\-out\fR \fIfilename\fR" 4
235 .IX Item "-out filename"
238 .IP \fB\-info\fR 4
239 .IX Item "-info"
242 .IP \fB\-nomacver\fR 4
243 .IX Item "-nomacver"
244 Don't attempt to verify the integrity MAC.
245 .IP \fB\-clcerts\fR 4
246 .IX Item "-clcerts"
247 Only output client certificates (not CA certificates).
248 .IP \fB\-cacerts\fR 4
249 .IX Item "-cacerts"
250 Only output CA certificates (not client certificates).
251 .IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR" 4
252 .IX Item "-aes128, -aes192, -aes256"
254 .IP "\fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR" 4
255 .IX Item "-aria128, -aria192, -aria256"
257 .IP "\fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR" 4
258 .IX Item "-camellia128, -camellia192, -camellia256"
260 .IP \fB\-des\fR 4
261 .IX Item "-des"
263 .IP \fB\-des3\fR 4
264 .IX Item "-des3"
266 .IP \fB\-idea\fR 4
267 .IX Item "-idea"
269 .IP \fB\-noenc\fR 4
270 .IX Item "-noenc"
272 .IP \fB\-nodes\fR 4
273 .IX Item "-nodes"
274 This option is deprecated since OpenSSL 3.0; use \fB\-noenc\fR instead.
277 .IP \fB\-export\fR 4
278 .IX Item "-export"
281 .IP "\fB\-out\fR \fIfilename\fR" 4
282 .IX Item "-out filename"
285 .IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
286 .IX Item "-in filename|uri"
289 With the \fB\-export\fR option this is a file with certificates and a key,
294 .IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
295 .IX Item "-inkey filename|uri"
297 If this option is not specified then the input file (\fB\-in\fR argument) must
300 If the \fB\-engine\fR option is used or the URI has prefix \f(CW\*(C`org.openssl.engine:\*(C'\fR
302 .IP "\fB\-certfile\fR \fIfilename\fR" 4
303 .IX Item "-certfile filename"
305 if the \fB\-export\fR option is given.
306 .IP "\fB\-passcerts\fR \fIarg\fR" 4
307 .IX Item "-passcerts arg"
308 The password source for certificate input such as \fB\-certfile\fR
309 and \fB\-untrusted\fR.
311 \&\fBopenssl\-passphrase\-options\fR\|(1).
312 .IP \fB\-chain\fR 4
313 .IX Item "-chain"
316 The end entity certificate is the first one read from the \fB\-in\fR file
319 as well as any untrusted CA certificates given with the \fB\-untrusted\fR option.
320 .IP "\fB\-untrusted\fR \fIfilename\fR" 4
321 .IX Item "-untrusted filename"
323 for chain building, which is relevant only when a PKCS#12 file is created
324 with the \fB\-export\fR option and the \fB\-chain\fR option is given as well.
326 .IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \…
327 .IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
328 See "Trusted Certificate Options" in \fBopenssl\-verification\-options\fR\|(1) for details.
329 .IP "\fB\-name\fR \fIfriendlyname\fR" 4
330 .IX Item "-name friendlyname"
333 .IP "\fB\-caname\fR \fIfriendlyname\fR" 4
334 .IX Item "-caname friendlyname"
339 .IP "\fB\-CSP\fR \fIname\fR" 4
340 .IX Item "-CSP name"
345 see \fBopenssl\-passphrase\-options\fR\|(1).
346 .IP \fB\-LMK\fR 4
347 .IX Item "-LMK"
349 .IP \fB\-keyex\fR|\fB\-keysig\fR 4
350 .IX Item "-keyex|-keysig"
352 This option is only interpreted by MSIE and similar MS software. Normally
353 "export grade" software will only allow 512 bit RSA keys to be used for
354 encryption purposes but arbitrary length keys for signing. The \fB\-keysig\fR
355 option marks the key for signing only. Signing only keys can be used for
357 authentication, however, due to a bug only MSIE 5.0 and later support
358 the use of signing only keys for SSL client authentication.
359 .IP "\fB\-keypbe\fR \fIalg\fR, \fB\-certpbe\fR \fIalg\fR" 4
360 .IX Item "-keypbe alg, -certpbe alg"
364 (as output by \f(CW\*(C`openssl list \-cipher\-algorithms\*(C'\fR) is specified then it
365 is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
369 .IP \fB\-descert\fR 4
370 .IX Item "-descert"
372 key and the certificates are encrypted using AES\-256\-CBC unless
373 the '\-legacy' option is used. If '\-descert' is used with the '\-legacy'
375 .IP "\fB\-macalg\fR \fIdigest\fR" 4
376 .IX Item "-macalg digest"
377 Specify the MAC digest algorithm. If not included SHA256 will be used.
378 .IP \fB\-pbmac1_pbkdf2\fR 4
379 .IX Item "-pbmac1_pbkdf2"
380 Use PBMAC1 with PBKDF2 for MAC protection of the PKCS#12 file.
381 .IP "\fB\-pbmac1_pbkdf2_md\fR \fIdigest\fR" 4
382 .IX Item "-pbmac1_pbkdf2_md digest"
384 Unless \f(CW\*(C`\-pbmac1_pbkdf2\*(C'\fR is specified, this parameter is ignored.
385 .IP "\fB\-iter\fR \fIcount\fR" 4
386 .IX Item "-iter count"
387 This option specifies the iteration count for the encryption key and MAC. The
393 down. The MAC is used to check the file integrity but since it will normally
395 .IP "\fB\-noiter\fR, \fB\-nomaciter\fR" 4
396 .IX Item "-noiter, -nomaciter"
397 By default both encryption and MAC iteration counts are set to 2048, using
398 these options the MAC and encryption iteration counts can be set to 1, since
400 really have to. Most software supports both MAC and encryption iteration counts.
401 MSIE 4.0 doesn't support MAC iteration counts so it needs the \fB\-nomaciter\fR
403 .IP \fB\-maciter\fR 4
404 .IX Item "-maciter"
406 to be needed to use MAC iterations counts but they are now used by default.
407 .IP \fB\-macsaltlen\fR 4
408 .IX Item "-macsaltlen"
409 This option specifies the salt length in bytes for the MAC. The salt length
410 should be at least 16 bytes as per NIST SP 800\-132. The default value
412 .IP \fB\-nomac\fR 4
413 .IX Item "-nomac"
414 Do not attempt to provide the MAC integrity. This can be useful with the FIPS
415 provider as the PKCS12 MAC requires PKCS12KDF which is not an approved FIPS
417 .IP \fB\-jdktrust\fR 4
418 .IX Item "-jdktrust"
421 certificate it is associated with. Currently only "anyExtendedKeyUsage" is
424 \&\fB\-nokeys\fR option
428 used. For PKCS#12 file parsing only \fB\-in\fR and \fB\-out\fR need to be used
429 for PKCS#12 file creation \fB\-export\fR and \fB\-name\fR are also used.
431 If none of the \fB\-clcerts\fR, \fB\-cacerts\fR or \fB\-nocerts\fR options are present
438 Using the \fB\-clcerts\fR option will solve this problem by only
441 the \fB\-nokeys\fR \fB\-cacerts\fR options to just output CA certificates.
443 The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption
446 encrypted private keys, then the option \fB\-keypbe\fR \fIPBE\-SHA1\-RC2\-40\fR can
448 description of all algorithms is contained in \fBopenssl\-pkcs8\fR\|(1).
450 Prior 1.1 release passwords containing non-ASCII characters were encoded
451 in non-compliant manner, which limited interoperability, in first hand
452 with Windows. But switching to standard-compliant password encoding
457 MT-safe, its sole goal is to facilitate the data upgrade with this
464 \& openssl pkcs12 \-in file.p12 \-out file.pem
467 Output only client certificates to a file:
470 \& openssl pkcs12 \-in file.p12 \-clcerts \-out file.pem
476 \& openssl pkcs12 \-in file.p12 \-out file.pem \-noenc
482 \& openssl pkcs12 \-in file.p12 \-info \-noout
488 \& openssl pkcs12 \-in file.p12 \-info \-noout \-legacy
494 \& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My PSE"
500 \& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My PSE" \e
501 \& \-certfile othercerts.pem
508 \& openssl pkcs12 \-export \-in cert.pem \-inkey key.pem \-out file.p12 \-legacy
513 \&\fBopenssl\-pkcs8\fR\|(1),
514 \&\fBossl_store\-file\fR\|(7)
517 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
518 The \fB\-nodes\fR option was deprecated in OpenSSL 3.0, too; use \fB\-noenc\fR instead.
521 Copyright 2000\-2025 The OpenSSL Project Authors. All Rights Reserved.