Lines Matching +full:no +full:- +full:output
1 .\" -*- mode: troff; coding: utf-8 -*-
36 .\" output yourself in some meaningful fashion.
57 .IX Title "OPENSSL-PKCS12 1ossl"
58 .TH OPENSSL-PKCS12 1ossl 2025-07-24 3.5.1 OpenSSL
64 openssl\-pkcs12 \- PKCS#12 file command
68 [\fB\-help\fR]
69 [\fB\-passin\fR \fIarg\fR]
70 [\fB\-passout\fR \fIarg\fR]
71 [\fB\-password\fR \fIarg\fR]
72 [\fB\-twopass\fR]
73 [\fB\-in\fR \fIfilename\fR|\fIuri\fR]
74 [\fB\-out\fR \fIfilename\fR]
75 [\fB\-nokeys\fR]
76 [\fB\-nocerts\fR]
77 [\fB\-noout\fR]
78 [\fB\-legacy\fR]
79 [\fB\-engine\fR \fIid\fR]
80 [\fB\-provider\fR \fIname\fR]
81 [\fB\-provider\-path\fR \fIpath\fR]
82 [\fB\-provparam\fR \fI[name:]key=value\fR]
83 [\fB\-propquery\fR \fIpropq\fR]
84 [\fB\-rand\fR \fIfiles\fR]
85 [\fB\-writerand\fR \fIfile\fR]
88 [\fB\-info\fR]
89 [\fB\-nomacver\fR]
90 [\fB\-clcerts\fR]
91 [\fB\-cacerts\fR]
93 [\fB\-aes128\fR]
94 [\fB\-aes192\fR]
95 [\fB\-aes256\fR]
96 [\fB\-aria128\fR]
97 [\fB\-aria192\fR]
98 [\fB\-aria256\fR]
99 [\fB\-camellia128\fR]
100 [\fB\-camellia192\fR]
101 [\fB\-camellia256\fR]
102 [\fB\-des\fR]
103 [\fB\-des3\fR]
104 [\fB\-idea\fR]
105 [\fB\-noenc\fR]
106 [\fB\-nodes\fR]
108 PKCS#12 output (export) options:
110 [\fB\-export\fR]
111 [\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
112 [\fB\-certfile\fR \fIfilename\fR]
113 [\fB\-passcerts\fR \fIarg\fR]
114 [\fB\-chain\fR]
115 [\fB\-untrusted\fR \fIfilename\fR]
116 [\fB\-CAfile\fR \fIfile\fR]
117 [\fB\-no\-CAfile\fR]
118 [\fB\-CApath\fR \fIdir\fR]
119 [\fB\-no\-CApath\fR]
120 [\fB\-CAstore\fR \fIuri\fR]
121 [\fB\-no\-CAstore\fR]
122 [\fB\-name\fR \fIname\fR]
123 [\fB\-caname\fR \fIname\fR]
124 [\fB\-CSP\fR \fIname\fR]
125 [\fB\-LMK\fR]
126 [\fB\-keyex\fR]
127 [\fB\-keysig\fR]
128 [\fB\-keypbe\fR \fIcipher\fR]
129 [\fB\-certpbe\fR \fIcipher\fR]
130 [\fB\-descert\fR]
131 [\fB\-macalg\fR \fIdigest\fR]
132 [\fB\-pbmac1_pbkdf2\fR]
133 [\fB\-pbmac1_pbkdf2_md\fR \fIdigest\fR]
134 [\fB\-iter\fR \fIcount\fR]
135 [\fB\-noiter\fR]
136 [\fB\-nomaciter\fR]
137 [\fB\-maciter\fR]
138 [\fB\-macsaltlen\fR]
139 [\fB\-nomac\fR]
140 [\fB\-jdktrust\fR \fIusage\fR]
150 A PKCS#12 file can be created by using the \fB\-export\fR option (see below).
151 The PKCS#12 export encryption and MAC options such as \fB\-certpbe\fR and \fB\-iter\fR
152 and many further options such as \fB\-chain\fR are relevant only with \fB\-export\fR.
154 PKCS#12 input are relevant only when the \fB\-export\fR option is not given.
156 The default encryption algorithm is AES\-256\-CBC with PBKDF2 for key derivation.
159 for example, RC2\-40\-CBC,
160 try using the \fB\-legacy\fR option and, if needed, the \fB\-provider\-path\fR option.
161 .IP \fB\-help\fR 4
162 .IX Item "-help"
164 .IP "\fB\-passin\fR \fIarg\fR" 4
165 .IX Item "-passin arg"
167 are output.
169 see \fBopenssl\-passphrase\-options\fR\|(1).
170 .IP "\fB\-passout\fR \fIarg\fR" 4
171 .IX Item "-passout arg"
172 The password source for output files.
173 .IP "\fB\-password\fR \fIarg\fR" 4
174 .IX Item "-password arg"
175 With \fB\-export\fR, \fB\-password\fR is equivalent to \fB\-passout\fR,
176 otherwise it is equivalent to \fB\-passin\fR.
177 .IP \fB\-twopass\fR 4
178 .IX Item "-twopass"
182 \&\fB\-password\fR, \fB\-passin\fR if importing from PKCS#12, or \fB\-passout\fR if exporting.
183 .IP \fB\-nokeys\fR 4
184 .IX Item "-nokeys"
185 No private keys will be output.
186 .IP \fB\-nocerts\fR 4
187 .IX Item "-nocerts"
188 No certificates will be output.
189 .IP \fB\-noout\fR 4
190 .IX Item "-noout"
191 This option inhibits all credentials output,
193 .IP \fB\-legacy\fR 4
194 .IX Item "-legacy"
196 If OpenSSL is not installed system-wide,
197 it is necessary to also use, for example, \f(CW\*(C`\-provider\-path ./providers\*(C'\fR
207 .IP "\fB\-engine\fR \fIid\fR" 4
208 .IX Item "-engine id"
211 .IP "\fB\-provider\fR \fIname\fR" 4
212 .IX Item "-provider name"
214 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
215 .IX Item "-provider-path path"
216 .IP "\fB\-provparam\fR \fI[name:]key=value\fR" 4
217 .IX Item "-provparam [name:]key=value"
218 .IP "\fB\-propquery\fR \fIpropq\fR" 4
219 .IX Item "-propquery propq"
222 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
223 .IX Item "-rand files, -writerand file"
227 .IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
228 .IX Item "-in filename|uri"
231 Without the \fB\-export\fR option this must be PKCS#12 file to be parsed.
232 For use with the \fB\-export\fR option
233 see the "PKCS#12 output (export) options" section.
234 .IP "\fB\-out\fR \fIfilename\fR" 4
235 .IX Item "-out filename"
236 The filename to write certificates and private keys to, standard output by
238 .IP \fB\-info\fR 4
239 .IX Item "-info"
240 Output additional information about the PKCS#12 file structure, algorithms
242 .IP \fB\-nomacver\fR 4
243 .IX Item "-nomacver"
245 .IP \fB\-clcerts\fR 4
246 .IX Item "-clcerts"
247 Only output client certificates (not CA certificates).
248 .IP \fB\-cacerts\fR 4
249 .IX Item "-cacerts"
250 Only output CA certificates (not client certificates).
251 .IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR" 4
252 .IX Item "-aes128, -aes192, -aes256"
254 .IP "\fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR" 4
255 .IX Item "-aria128, -aria192, -aria256"
257 .IP "\fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR" 4
258 .IX Item "-camellia128, -camellia192, -camellia256"
260 .IP \fB\-des\fR 4
261 .IX Item "-des"
263 .IP \fB\-des3\fR 4
264 .IX Item "-des3"
266 .IP \fB\-idea\fR 4
267 .IX Item "-idea"
269 .IP \fB\-noenc\fR 4
270 .IX Item "-noenc"
272 .IP \fB\-nodes\fR 4
273 .IX Item "-nodes"
274 This option is deprecated since OpenSSL 3.0; use \fB\-noenc\fR instead.
275 .SS "PKCS#12 output (export) options"
276 .IX Subsection "PKCS#12 output (export) options"
277 .IP \fB\-export\fR 4
278 .IX Item "-export"
281 .IP "\fB\-out\fR \fIfilename\fR" 4
282 .IX Item "-out filename"
283 This specifies filename to write the PKCS#12 file to. Standard output is used
285 .IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
286 .IX Item "-in filename|uri"
289 With the \fB\-export\fR option this is a file with certificates and a key,
293 certificates are present they will also be included in the PKCS#12 output file.
294 .IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
295 .IX Item "-inkey filename|uri"
296 The private key input for PKCS12 output.
297 If this option is not specified then the input file (\fB\-in\fR argument) must
299 If no engine is used, the argument is taken as a file.
300 If the \fB\-engine\fR option is used or the URI has prefix \f(CW\*(C`org.openssl.engine:\*(C'\fR
302 .IP "\fB\-certfile\fR \fIfilename\fR" 4
303 .IX Item "-certfile filename"
304 An input file with extra certificates to be added to the PKCS#12 output
305 if the \fB\-export\fR option is given.
306 .IP "\fB\-passcerts\fR \fIarg\fR" 4
307 .IX Item "-passcerts arg"
308 The password source for certificate input such as \fB\-certfile\fR
309 and \fB\-untrusted\fR.
311 \&\fBopenssl\-passphrase\-options\fR\|(1).
312 .IP \fB\-chain\fR 4
313 .IX Item "-chain"
315 certificate is built and included in the PKCS#12 output file.
316 The end entity certificate is the first one read from the \fB\-in\fR file
317 if no key is given, else the first certificate matching the given key.
319 as well as any untrusted CA certificates given with the \fB\-untrusted\fR option.
320 .IP "\fB\-untrusted\fR \fIfilename\fR" 4
321 .IX Item "-untrusted filename"
324 with the \fB\-export\fR option and the \fB\-chain\fR option is given as well.
325 Any certificates that are actually part of the chain are added to the output.
326 .IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \…
327 .IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
328 See "Trusted Certificate Options" in \fBopenssl\-verification\-options\fR\|(1) for details.
329 .IP "\fB\-name\fR \fIfriendlyname\fR" 4
330 .IX Item "-name friendlyname"
333 .IP "\fB\-caname\fR \fIfriendlyname\fR" 4
334 .IX Item "-caname friendlyname"
339 .IP "\fB\-CSP\fR \fIname\fR" 4
340 .IX Item "-CSP name"
343 are output.
345 see \fBopenssl\-passphrase\-options\fR\|(1).
346 .IP \fB\-LMK\fR 4
347 .IX Item "-LMK"
349 .IP \fB\-keyex\fR|\fB\-keysig\fR 4
350 .IX Item "-keyex|-keysig"
354 encryption purposes but arbitrary length keys for signing. The \fB\-keysig\fR
359 .IP "\fB\-keypbe\fR \fIalg\fR, \fB\-certpbe\fR \fIalg\fR" 4
360 .IX Item "-keypbe alg, -certpbe alg"
364 (as output by \f(CW\*(C`openssl list \-cipher\-algorithms\*(C'\fR) is specified then it
369 .IP \fB\-descert\fR 4
370 .IX Item "-descert"
372 key and the certificates are encrypted using AES\-256\-CBC unless
373 the '\-legacy' option is used. If '\-descert' is used with the '\-legacy'
375 .IP "\fB\-macalg\fR \fIdigest\fR" 4
376 .IX Item "-macalg digest"
378 .IP \fB\-pbmac1_pbkdf2\fR 4
379 .IX Item "-pbmac1_pbkdf2"
381 .IP "\fB\-pbmac1_pbkdf2_md\fR \fIdigest\fR" 4
382 .IX Item "-pbmac1_pbkdf2_md digest"
384 Unless \f(CW\*(C`\-pbmac1_pbkdf2\*(C'\fR is specified, this parameter is ignored.
385 .IP "\fB\-iter\fR \fIcount\fR" 4
386 .IX Item "-iter count"
395 .IP "\fB\-noiter\fR, \fB\-nomaciter\fR" 4
396 .IX Item "-noiter, -nomaciter"
401 MSIE 4.0 doesn't support MAC iteration counts so it needs the \fB\-nomaciter\fR
403 .IP \fB\-maciter\fR 4
404 .IX Item "-maciter"
407 .IP \fB\-macsaltlen\fR 4
408 .IX Item "-macsaltlen"
410 should be at least 16 bytes as per NIST SP 800\-132. The default value
412 .IP \fB\-nomac\fR 4
413 .IX Item "-nomac"
417 .IP \fB\-jdktrust\fR 4
418 .IX Item "-jdktrust"
424 \&\fB\-nokeys\fR option
428 used. For PKCS#12 file parsing only \fB\-in\fR and \fB\-out\fR need to be used
429 for PKCS#12 file creation \fB\-export\fR and \fB\-name\fR are also used.
431 If none of the \fB\-clcerts\fR, \fB\-cacerts\fR or \fB\-nocerts\fR options are present
432 then all certificates will be output in the order they appear in the input
433 PKCS#12 files. There is no guarantee that the first certificate present is
438 Using the \fB\-clcerts\fR option will solve this problem by only
440 certificates are required then they can be output to a separate file using
441 the \fB\-nokeys\fR \fB\-cacerts\fR options to just output CA certificates.
443 The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption
446 encrypted private keys, then the option \fB\-keypbe\fR \fIPBE\-SHA1\-RC2\-40\fR can
448 description of all algorithms is contained in \fBopenssl\-pkcs8\fR\|(1).
450 Prior 1.1 release passwords containing non-ASCII characters were encoded
451 in non-compliant manner, which limited interoperability, in first hand
452 with Windows. But switching to standard-compliant password encoding
457 MT-safe, its sole goal is to facilitate the data upgrade with this
461 Parse a PKCS#12 file and output it to a PEM file:
464 \& openssl pkcs12 \-in file.p12 \-out file.pem
467 Output only client certificates to a file:
470 \& openssl pkcs12 \-in file.p12 \-clcerts \-out file.pem
476 \& openssl pkcs12 \-in file.p12 \-out file.pem \-noenc
482 \& openssl pkcs12 \-in file.p12 \-info \-noout
488 \& openssl pkcs12 \-in file.p12 \-info \-noout \-legacy
494 \& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My PSE"
500 \& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My PSE" \e
501 \& \-certfile othercerts.pem
508 \& openssl pkcs12 \-export \-in cert.pem \-inkey key.pem \-out file.p12 \-legacy
513 \&\fBopenssl\-pkcs8\fR\|(1),
514 \&\fBossl_store\-file\fR\|(7)
517 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
518 The \fB\-nodes\fR option was deprecated in OpenSSL 3.0, too; use \fB\-noenc\fR instead.
521 Copyright 2000\-2025 The OpenSSL Project Authors. All Rights Reserved.