[openssl-users] pkcs12 how to have different key friendlyName?

Sean Leonard dev+openssl at seantek.com
Sat Feb 14 07:56:05 UTC 2015

On 2/13/2015 12:23 PM, Dr. Stephen Henson wrote:
> On Fri, Feb 13, 2015, Sean Leonard wrote:
>> Using the openssl pkcs12 -export command, how can one specify a
>> different friendlyName attribute for the private key?
>> For example, consider the command:
>> openssl pkcs12 -export -out pkcs12.p12 -name "sean key 2015" -inkey
>> key.txt -in user.crt -name "sean user cert 2015" -certfile
>> othercerts.txt
> I'm curious as to why you want to do this.

Well, as a PKI and S/MIME developer I am researching how various bits of 
information relating to crypto objects can be preserved between systems. 
It is useful to set the cert and key friendly names independently for 
certain development and possibly usability reasons. Development reasons 
include needing to address the private key specifically, regardless of 
whether it is associated with any particular certificate, and to see 
when certificates have private key (instances) on particular crypto tokens.

Usability reasons include distinguishing between certificates and 
private keys for users, who tend to get confused about these things 
because virtually no existing UIs meaningfully distinguish between the 
two (usually certificates for which you have a private key are simply 
called "certificates", or possibly "your certificates"...thus a user 
sends "your [his/her] certificate" and while the user's mental model is 
that the certificate is intended to be shared, the user unwittingly 
sends along a p12 file with a simple password like 123456).

Whether the usability is an area of research that I am looking into. No 
pronouncements can be made one way or another yet. Suffice to say that 
the technical capability has to exist at the lower layer before one can 
evaluate usability enhancements at higher layers.

> If no friendlyname is specified on the command line an "alias" associated with
> the certificate is used instead. You can associate an alias with a certificate
> like this:
> openssl x509 -in cert.pem -setalias "some name" -out newcert.pem
> Unfortunately the -name option specified on the command line will also be
> used even if there is an alias present. You can change this by looking in
> crypto/pkcs12/p12_crt.c in the function PKCS12_create. Comment out the
> following lines:
>          if (name && !PKCS12_add_friendlyname(bag, name, -1))
>              goto err;
> Then you can specify the certificate friendlyname using the alias and the
> private key friendly name using the command line -name option.

Sounds good...I will attempt this and report back. Ah, the TRUSTED 
CERTIFICATE format returns...


More information about the openssl-users mailing list