| pkcs12.pod (68651) | pkcs12.pod (76866) |
|---|---|
| 1 2=pod 3 4=head1 NAME 5 6pkcs12 - PKCS#12 file utility 7 8=head1 SYNOPSIS --- 290 unchanged lines hidden (view full) --- 299 300 openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \ 301 -certfile othercerts.pem 302 303=head1 BUGS 304 305Some would argue that the PKCS#12 standard is one big bug :-) 306 | 1 2=pod 3 4=head1 NAME 5 6pkcs12 - PKCS#12 file utility 7 8=head1 SYNOPSIS --- 290 unchanged lines hidden (view full) --- 299 300 openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \ 301 -certfile othercerts.pem 302 303=head1 BUGS 304 305Some would argue that the PKCS#12 standard is one big bug :-) 306 |
| 307Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation 308routines. Under rare circumstances this could produce a PKCS#12 file encrypted 309with an invalid key. As a result some PKCS#12 files which triggered this bug 310from other implementations (MSIE or Netscape) could not be decrypted 311by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could 312not be decrypted by other implementations. The chances of producing such 313a file are relatively small: less than 1 in 256. 314 315A side effect of fixing this bug is that any old invalidly encrypted PKCS#12 316files cannot no longer be parsed by the fixed version. Under such circumstances 317the B<pkcs12> utility will report that the MAC is OK but fail with a decryption 318error when extracting private keys. 319 320This problem can be resolved by extracting the private keys and certificates 321from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12 322file from the keys and certificates using a newer version of OpenSSL. For example: 323 324 old-openssl -in bad.p12 -out keycerts.pem 325 openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12 326 |
|
| 307=head1 SEE ALSO 308 309L<pkcs8(1)|pkcs8(1)> 310 | 327=head1 SEE ALSO 328 329L<pkcs8(1)|pkcs8(1)> 330 |