[openssl-users] pkcs12 is no encryption possible for certs?

Gregory Sloop gregs at sloop.net
Fri Feb 13 20:32:13 UTC 2015

MS> On Fri, Feb 13, 2015 at 11:33 AM, Sean Leonard <dev+openssl at seantek.com> wrote:
>> Using the openssl pkcs12 -export command, is it possible to specify a
>> "-certpbe" value that does not do encryption? Perhaps you only want
>> integrity protection--you don't care whether the certificates are shrouded.
>> The PKCS #12 standard seems to imply that "certBags" can be used as-is;
>> however, all examples of PKCS #12 files that I have seen encrypt the
>> certificates.

>> Will other common crypto stacks be able to process such a PKCS #12 file
>> (that does not encrypt the certificates)?

MS> Whenever I hear someone talking about encrypting a certificate, I
MS> conclude that they are horribly confused. A cert is signed, over the
MS> entire contents, so integrity is reducible to the cryptographic
MS> algorithms employed. A cert is not a secret, does not contain secrets,
MS> etc.

It's easy to make a mistake and...
...type "cert" when you really mean "key."
...not remember/understand/grok that PKCS12 files often contain both certs and keys. [And that both can be encrypted.]

BTW, as long as we're talking about p12's and encryption. It's my experience that using a cipher other than 3DES [i.e. AES128/256] won't be handled well [i.e. not at all] by current versions of Windows or OSX. 

I know that's not the direction of the question, and only oblique to it, but perhaps it's useful.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150213/1b0711f0/attachment-0001.html>

More information about the openssl-users mailing list