First, Introduction
PKCS12 command to generate and analyze PKCS12 files
Second, the grammar
OpenSSL pkcs12 [-export] [-chain] [-inkey filename] [-certfile filename] [-capath arg] [-cafile arg] [-name name] [-caname name] [- in filename] [-out filename] [-noout] [-nomacver] [-nocerts] [-clcerts] [-cacerts] [-nokeys] [-Info] [-noiter] [-maciter] [-nomaciter] [-nomac] [-twopass] [-Descert] [-certpbe ALG] [-keypbe ALG] [-macalg Digest] [-keyex] [-keysig] [-password Arg] [-passin Arg] [-passout arg] [file(s)] [-LMK] [-CSP name] [-engine E] [-des] [-des3] [-aes128] [-aes192] [-aes256] [-Idea] [-camellia128] [-camellia192] [-camellia256] [-nodes]
Options
-export Output PKCS12file-chain Add certificate chain-inkeyfilePrivate keyifNot infile-certfile F Add all certsinchF-capath ARG-PEM Format Directory of CAs's-cafile ARG-PEM Formatfileof CA's-name"name"Use name as friendly name-caname"nm"Use NM as CA friendly name (can be used Morethan once).-inchinfile input filename-Out outfile output filename-noout Don't output anything, just verify.-nomacver Don't verify MAC.-nocerts Don't output certificates.-clcerts only output client certificates.-cacerts only output CA certificates.-nokeys Don't output private keys.-InfoGiveInfoAbout pkcs# Astructure.-des encrypt private keys with des-Des3 encrypt private keys with triple DES (default)-Idea encrypt private keys with idea-seed encrypt private keys with seed-aes128,-aes192,-aes256 encrypt PEM output with CBC AES-camellia128,-camellia192,-camellia256 encrypt PEM output with CBC Camellia-nodes Don't encrypt private keys-noiter Don't use encryption Iteration-nomaciter Don't use MAC iteration-maciter Use MAC iteration-nomac Don't generate MAC-twopass separate MAC, encryption passwords-descert Encrypt pkcs# ACertificates with triple DES (default rc2- +)-CERTPBE ALG Specify certificate PBE algorithm (default rc2- +)-keypbe alg Specify private key PBE algorithm (default 3DES)-macalg ALG Digest algorithm usedinchMAC (default SHA1)-Keyex Set MS key exchange type-Keysig set MS key signature type-password P Set import/Export Password Source-passin p InputfilePass phrase source-passout p OutputfilePass phrase source-engine e Use engine E, possibly a hardware device.-randfile:file:. .. load thefile(or the FilesinchThe directory) into the random number generator-CSP name Microsoft CSP name-LMK ADD Local Machine keyset attribute to private key
Third, examples
1. PKCS and PEM format for mutual transfer
1) Pem to PKCS12 file (contains CA certificate, CA certificate not included)
OpenSSL pkcs12-export-inkey Serverprikey.pem- in Server.pem-cafile Democa/cacert.pem-password pass:"
123456" -out server.pfx
OpenSSL pkcs12-export-inkey serverprikey.pem-in Server.pem-password pass: "123456"-out server_nocret.pfx
2) PKCS12 converted to PEM file
OpenSSL pkcs12- in Server_nocret.pfx-out Server_nocret.pem-nodes-password pass:"123456 "
2. View PKCS12 Information
OpenSSL pkcs12- in Server.pfx-password Pass:"123456" -info -nocerts– Nokeys
Reference: http://blog.csdn.net/as3luyuan123/article/details/16105475
Openssl PKCS12 Commands