[openssl-users] pkcs12 how to have different key friendlyName?
dev+openssl at seantek.com
Sat Feb 14 07:56:05 UTC 2015
On 2/13/2015 12:23 PM, Dr. Stephen Henson wrote:
> On Fri, Feb 13, 2015, Sean Leonard wrote:
>> Using the openssl pkcs12 -export command, how can one specify a
>> different friendlyName attribute for the private key?
>> For example, consider the command:
>> openssl pkcs12 -export -out pkcs12.p12 -name "sean key 2015" -inkey
>> key.txt -in user.crt -name "sean user cert 2015" -certfile
> I'm curious as to why you want to do this.
Well, as a PKI and S/MIME developer I am researching how various bits of
information relating to crypto objects can be preserved between systems.
It is useful to set the cert and key friendly names independently for
certain development and possibly usability reasons. Development reasons
include needing to address the private key specifically, regardless of
whether it is associated with any particular certificate, and to see
when certificates have private key (instances) on particular crypto tokens.
Usability reasons include distinguishing between certificates and
private keys for users, who tend to get confused about these things
because virtually no existing UIs meaningfully distinguish between the
two (usually certificates for which you have a private key are simply
called "certificates", or possibly "your certificates"...thus a user
sends "your [his/her] certificate" and while the user's mental model is
that the certificate is intended to be shared, the user unwittingly
sends along a p12 file with a simple password like 123456).
Whether the usability is an area of research that I am looking into. No
pronouncements can be made one way or another yet. Suffice to say that
the technical capability has to exist at the lower layer before one can
evaluate usability enhancements at higher layers.
> If no friendlyname is specified on the command line an "alias" associated with
> the certificate is used instead. You can associate an alias with a certificate
> like this:
> openssl x509 -in cert.pem -setalias "some name" -out newcert.pem
> Unfortunately the -name option specified on the command line will also be
> used even if there is an alias present. You can change this by looking in
> crypto/pkcs12/p12_crt.c in the function PKCS12_create. Comment out the
> following lines:
> if (name && !PKCS12_add_friendlyname(bag, name, -1))
> goto err;
> Then you can specify the certificate friendlyname using the alias and the
> private key friendly name using the command line -name option.
Sounds good...I will attempt this and report back. Ah, the TRUSTED
CERTIFICATE format returns...
More information about the openssl-users