> From: owner-openssl-us...@openssl.org On Behalf Of Gregory Sloop > Sent: Monday, September 15, 2014 22:50
> And, one more question: > How can I tell what format/encryption my pkcs12 files are in? > [I believe for Android platform use, I need p12 certs/keys - so I'm working > on the export/conversion part too.] > I export my cert+key like so: > [openssl pkcs12 -export -aes256 -in somecert.crt -inkey somekey.key -out > somep12.p12] > An "openssl pkcs12 -info -in somecert.p12" gives something like this: <snip> > Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 > My take on what that says [which may well be wrong.] > The cert is protected with what appears to be quite a weak chpher, > but we don't care, since it's "public" anyway. Right. > However this looks like the key is encrypted with 3DES, but I "exported" it > from the Cert+Key with "-aes256" - so I'm puzzled why I'd have a 3DES > encrypted p12. You thought you did but you didn't. The doc is a bit subtle, but the -$cipher option is listed under "PARSING". It applies when *reading* a PKCS#12 and extracting the cert(s) and key(s?) to separate files or sections, for (most) other OpenSSL operations, and specifically to encrypting the extracted privatekey section. To specify the PBE algorithm for the key when exporting *to PKCS12*, use -keypbe, as listed on the man page under "EXPORTING". And yes, it isn't very helpful that commandline doesn't warn when you specify a combination of options that doesn't make sense. This is true for most of the commandline functions historically, although a few that have been (re)written recently are better. <snip earlier> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
