[openssl-users] pkcs12 is no encryption possible for certs?

Michael Sierchio kudzu at tenebras.com
Fri Feb 13 20:02:06 UTC 2015

On Fri, Feb 13, 2015 at 11:33 AM, Sean Leonard <dev+openssl at seantek.com> wrote:
> Using the openssl pkcs12 -export command, is it possible to specify a
> "-certpbe" value that does not do encryption? Perhaps you only want
> integrity protection--you don't care whether the certificates are shrouded.
> The PKCS #12 standard seems to imply that "certBags" can be used as-is;
> however, all examples of PKCS #12 files that I have seen encrypt the
> certificates.
> Will other common crypto stacks be able to process such a PKCS #12 file
> (that does not encrypt the certificates)?

Whenever I hear someone talking about encrypting a certificate, I
conclude that they are horribly confused. A cert is signed, over the
entire contents, so integrity is reducible to the cryptographic
algorithms employed. A cert is not a secret, does not contain secrets,

- M

More information about the openssl-users mailing list