xref: /freebsd/secure/lib/libcrypto/man/man3/PKCS12_create.3 (revision e9ac41698b2f322d55ccf9da50a3596edb2c1800)
Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)

Standard preamble:
========================================================================
..
..
.. Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. \*(C+ will
give a nicer C++. Capital omega is used to do unbreakable dashes and
therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
nothing in troff, for use with C<>.
.tr \(*W- . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\}
Escape single quotes in literal strings from groff's Unicode transform.

If the F register is >0, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.

Avoid warning from groff about undefined register 'F'.
.. .nr rF 0 . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ========================================================================

Title "PKCS12_CREATE 3ossl"
PKCS12_CREATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
For nroff, turn off justification. Always turn off hyphenation; it makes
way too many mistakes in technical documents.
"NAME"
PKCS12_create, PKCS12_create_ex - create a PKCS#12 structure
"SYNOPSIS"
Header "SYNOPSIS" .Vb 1 #include <openssl/pkcs12.h> \& PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter, int keytype); PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter, int keytype, OSSL_LIB_CTX *ctx, const char *propq); .Ve
"DESCRIPTION"
Header "DESCRIPTION" \fBPKCS12_create() creates a PKCS#12 structure.

\fIpass is the passphrase to use. name is the friendlyName to use for the supplied certificate and key. pkey is the private key to include in the structure and cert its corresponding certificates. ca, if not \s-1NULL\s0 is an optional set of certificates to also include in the structure.

\fInid_key and nid_cert are the encryption algorithms that should be used for the key and certificate respectively. The modes \s-1GCM, CCM, XTS,\s0 and \s-1OCB\s0 are unsupported. iter is the encryption algorithm iteration count to use and mac_iter is the \s-1MAC\s0 iteration count to use. \fIkeytype is the type of key.

\fBPKCS12_create_ex() is identical to PKCS12_create() but allows for a library context \fIctx and property query propq to be used to select algorithm implementations.

"NOTES"
Header "NOTES" The parameters nid_key, nid_cert, iter, mac_iter and keytype can all be set to zero and sensible defaults will be used.

These defaults are: \s-1AES\s0 password based encryption (\s-1PBES2\s0 with \s-1PBKDF2\s0 and \s-1AES-256-CBC\s0) for private keys and certificates, the \s-1PBKDF2\s0 and \s-1MAC\s0 key derivation iteration count of \s-1PKCS12_DEFAULT_ITER\s0 (currently 2048), and \s-1MAC\s0 algorithm \s-1HMAC\s0 with \s-1SHA2-256.\s0 The \s-1MAC\s0 key derivation algorithm used for the outer PKCS#12 structure is \s-1PKCS12KDF.\s0

The default \s-1MAC\s0 iteration count is 1 in order to retain compatibility with old software which did not interpret \s-1MAC\s0 iteration counts. If such compatibility is not required then mac_iter should be set to \s-1PKCS12_DEFAULT_ITER.\s0

\fIkeytype adds a flag to the store private key. This is a non standard extension that is only currently interpreted by \s-1MSIE.\s0 If set to zero the flag is omitted, if set to \s-1KEY_SIG\s0 the key can be used for signing only, if set to \s-1KEY_EX\s0 it can be used for signing and encryption. This option was useful for old export grade software which could use signing only keys of arbitrary size but had restrictions on the permissible sizes of keys which could be used for encryption.

If a certificate contains an alias or keyid then this will be used for the corresponding friendlyName or localKeyID in the \s-1PKCS12\s0 structure.

Either pkey, cert or both can be \s-1NULL\s0 to indicate that no key or certificate is required. In previous versions both had to be present or a fatal error is returned.

\fInid_key or nid_cert can be set to -1 indicating that no encryption should be used.

\fImac_iter can be set to -1 and the \s-1MAC\s0 will then be omitted entirely. This can be useful when running with the \s-1FIPS\s0 provider as the \s-1PKCS12KDF\s0 is not a \s-1FIPS\s0 approvable algorithm.

\fBPKCS12_create() makes assumptions regarding the encoding of the given pass phrase. See passphrase-encoding\|(7) for more information.

"RETURN VALUES"
Header "RETURN VALUES" \fBPKCS12_create() returns a valid \s-1PKCS12\s0 structure or \s-1NULL\s0 if an error occurred.
"CONFORMING TO"
Header "CONFORMING TO" \s-1IETF RFC 7292\s0 (<https://tools.ietf.org/html/rfc7292>)
"SEE ALSO"
Header "SEE ALSO" \s-1EVP_KDF-PKCS12KDF\s0\|(7), \fBd2i_PKCS12\|(3), \s-1OSSL_PROVIDER-FIPS\s0\|(7), \fBpassphrase-encoding\|(7)
"HISTORY"
Header "HISTORY" \fBPKCS12_create_ex() was added in OpenSSL 3.0.

The defaults for encryption algorithms, \s-1MAC\s0 algorithm, and the \s-1MAC\s0 key derivation iteration count were changed in OpenSSL 3.0 to more modern standards.

"COPYRIGHT"
Header "COPYRIGHT" Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at <https://www.openssl.org/source/license.html>.