[openssl-users] pkcs12 is no encryption possible for certs?

Sean Leonard dev+openssl at seantek.com
Sat Feb 14 07:36:06 UTC 2015

On 2/13/2015 12:12 PM, Dr. Stephen Henson wrote:
> On Fri, Feb 13, 2015, Sean Leonard wrote:
>> Using the openssl pkcs12 -export command, is it possible to specify
>> a "-certpbe" value that does not do encryption? Perhaps you only
>> want integrity protection--you don't care whether the certificates
>> are shrouded. The PKCS #12 standard seems to imply that "certBags"
>> can be used as-is; however, all examples of PKCS #12 files that I
>> have seen encrypt the certificates.
> Try -certpbe NONE

Thank you! That did the trick. The resultant PKCS #12 file contains the 
certBag type containing OCTET STRINGS identified as x509Certificate, 
containing the binary certificates. A partial analyzed example from 
"asn1js" is included for doubters.

Importing this PKCS #12 file into Microsoft CryptoAPI, Mozilla NSS, and 
Apple Mac OS X Keychain succeeded in all cases. (Note that the -macalg 
was not changed; it used the default of SHA-1.)

Best regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: shows-certbag-oids-example.png
Type: image/png
Size: 22280 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150213/0d65b1b7/attachment-0001.png>

More information about the openssl-users mailing list