A lot of things on the Internet are wrong. The OpenSSL man page does not say multiple
occurrences work and I'm pretty sure it never did, nor did the code. In general OpenSSL commandlines don't handle repeated options; the few exceptions are noted. pkcs12 -caname (NOT -cafile) IS one of the few that can be repeated, and possibly some things on the Internet got that confused. However, the commandlines (at least usually?) don't *diagnose* repeated (and overridden) options. pkcs12 -export gets certs from up to three places: - the input file (-in if specified else stdin redirected or piped) - -certfile if specified (once, as you saw) - the truststore if -CAfile and/or -CApath specified IF NEEDED In other words, any cert in infile or certfile is always in the output, needed or not. If that set does not provide a complete chain, pkcs12 will try to complete it using the truststore if specified, but will produce output even if it remains incomplete. Like other commandlines, and many programs using the library, the truststore can be a single file with -CAfile (NOT -cafile) or a directory of hashnamed links or files with -CApath or both. If the cert you are putting in pkcs12 is under a CA that you trust other peers to use and thus you have in your truststore, easiest to use it from there. Similarly if your cert is under an intermediate (or several) that you have in your truststore to allow peers to use even if the peers don't send (as they should), easiest to use from there. Otherwise IMO it's easiest to just put in infile or -certfile (or a combination), although the option of temporarily creating or modifying a truststore works. Whether to do your trustore with CAfile or CApath or both is a more general question and depends partly on whether you use somebody's package. For example the curl website supplies the Mozilla truststore in CAfile format; when I want to use that I don't bother converting to CApath format. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Edward Ned Harvey (openssl) Sent: Tuesday, April 22, 2014 15:31 To: openssl-users@openssl.org Subject: *** Spam *** How to include intermediate in pkcs12? A bunch of things on the internet say to do "-cafile intermediate.pem -cafile root.pem" or "-certfile intermediate.pem -certfile root.pem" and they explicitly say that calling these command-line options more than once is ok and will result in both the certs being included in the final pkcs12... But I have found this to be untrue. I have found, that if I concatenate intermediate & root into a single glom file, and then I specify -certfile once for the glom, then my pfx file will include the complete chain. But if I use -certfile twice, I get no intermediate in my pfx. And I just wasted more time than I care to describe, figuring this out. So... While concatenation/glom is a viable workaround, I'd like to know, what's supposed to work? And was it a new feature introduced after a certain rev or something? I have OpenSSL 0.9.8y command-line on Mac OSX, and OpenSSL 1.0.1e command-line on cygwin. I believe I've seen the same behavior in both.
