[openssl-users] pkcs12 how to have different key friendlyName?

Dr. Stephen Henson steve at openssl.org
Fri Feb 13 20:23:21 UTC 2015

On Fri, Feb 13, 2015, Sean Leonard wrote:

> Using the openssl pkcs12 -export command, how can one specify a
> different friendlyName attribute for the private key?
> For example, consider the command:
> openssl pkcs12 -export -out pkcs12.p12 -name "sean key 2015" -inkey
> key.txt -in user.crt -name "sean user cert 2015" -certfile
> othercerts.txt

I'm curious as to why you want to do this.

If no friendlyname is specified on the command line an "alias" associated with
the certificate is used instead. You can associate an alias with a certificate
like this:

openssl x509 -in cert.pem -setalias "some name" -out newcert.pem

Unfortunately the -name option specified on the command line will also be
used even if there is an alias present. You can change this by looking in
crypto/pkcs12/p12_crt.c in the function PKCS12_create. Comment out the
following lines:

        if (name && !PKCS12_add_friendlyname(bag, name, -1))
            goto err;

Then you can specify the certificate friendlyname using the alias and the
private key friendly name using the command line -name option.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list