Generating PFX with 3DES
Michael Wojcik
Michael.Wojcik at microfocus.com
Wed Mar 1 17:49:27 UTC 2023
> From: Newbie User <n3wbie001 at gmail.com>
> Sent: Wednesday, 1 March, 2023 07:32
> I also saw a keypbe option. Do we have any official docs for all these? Didn't see anything explained in
> OpenSSL docs for this.
I don't know where you were looking, but:
https://www.openssl.org/docs/man1.1.1/man1/pkcs12.html
lists the -keypbe and -certpbe options, and in the Notes section it refers you to the pkcs8 man page:
https://www.openssl.org/docs/man1.1.1/man1/pkcs8.html
and the Notes section of *that* page lists the available suites you can use. I believe the OpenSSL 3.0 man pages are similar. I haven't looked at the 1.0.2 man pages recently.
> Also why isn't it by default 3DES as RC2 is deprecated long time back.
That I can't answer. There was an issue raised a few years ago (https://github.com/openssl/openssl/issues/12227) which pointed out in 3.0 RC2 requires the legacy provider, so with 3.0 you have to use either -certpbe or -provider or openssl pkcs12 fails. I didn't see one about using an RC2-based PBE for the default certificate PBE, but maybe there is one. If not, you could raise it.
--
Michael Wojcik
More information about the openssl-users
mailing list