On Wed, Apr 22, 2009, Bob Barnes wrote: > Steve, > > Just so I'm clear, what I hear you saying is that when I re-encrypt the > RSA private key with the new password, that the error is not propagated to > the new private key file and that corresponds to what I see when I > subsequently decrypt the new encrypted private key because I no longer get > the "No Octet..." warning message. That leaves me with the question of why > IBM's DCM would fail when importing the output of the pkcs12 export. > According to IBM's documentation, DCM requires validly formatted PKCS12 V2 > files. The OpenSSL documentation doesn't mention V2, but does cite PFX, > which I thought was generally considered to be V1, so the question arises > are the PKCS#12 produced by OpenSSL V2? >
I'm not sure what they mean by "V2" there isn't a PKCS#12 V2 AFAIK. There were various revisions of the standard and OpenSSL should be compatible with them all. The latest version on RSA's site is listed as "Version 1.0". The MAC iteration count was added quite late on in the original spec which is what I suggested trying -nomaciter. If you can get DCM to produce a sample PKCS#12 file see if OpenSSL can parse it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
