On 2/13/2015 12:12 PM, Dr. Stephen Henson wrote:
On Fri, Feb 13, 2015, Sean Leonard wrote:
Using the openssl pkcs12 -export command, is it possible to specify
a "-certpbe" value that does not do encryption? Perhaps you only
want integrity protection--you don't care whether the certificates
are shrouded. The PKCS #12 standard seems to imply that "certBags"
can be used as-is; however, all examples of PKCS #12 files that I
have seen encrypt the certificates.
Try -certpbe NONE
Thank you! That did the trick. The resultant PKCS #12 file contains the
certBag type containing OCTET STRINGS identified as x509Certificate,
containing the binary certificates. A partial analyzed example from
"asn1js" is included for doubters.
Importing this PKCS #12 file into Microsoft CryptoAPI, Mozilla NSS, and
Apple Mac OS X Keychain succeeded in all cases. (Note that the -macalg
was not changed; it used the default of SHA-1.)
Best regards,
Sean
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
