[openssl-users] pkcs12 how to have different key friendlyName?

Sean Leonard dev+openssl at seantek.com
Mon Feb 16 22:48:50 UTC 2015

On 2/13/2015 12:23 PM, Dr. Stephen Henson wrote:
> On Fri, Feb 13, 2015, Sean Leonard wrote:
>> Using the openssl pkcs12 -export command, how can one specify a
>> different friendlyName attribute for the private key?
>> For example, consider the command:
>> openssl pkcs12 -export -out pkcs12.p12 -name "sean key 2015" -inkey
>> key.txt -in user.crt -name "sean user cert 2015" -certfile
>> othercerts.txt
> I'm curious as to why you want to do this.
> If no friendlyname is specified on the command line an "alias" associated with
> the certificate is used instead. You can associate an alias with a certificate
> like this:
> openssl x509 -in cert.pem -setalias "some name" -out newcert.pem
> Unfortunately the -name option specified on the command line will also be
> used even if there is an alias present. You can change this by looking in
> crypto/pkcs12/p12_crt.c in the function PKCS12_create. Comment out the
> following lines:
>          if (name && !PKCS12_add_friendlyname(bag, name, -1))
>              goto err;
> Then you can specify the certificate friendlyname using the alias and the
> private key friendly name using the command line -name option.

I attempted to do this today (comment out those two lines) with OpenSSL 
1.0.2. It was around line 127 in p12_crt.c in the 1.0.2 distribution.

Using the -name option managed to set the friendly name of the private 
key, not the certificate. Unfortunately, using {x509 -setalias} followed 
by inputting it to {pkcs12 -in aliasedcert.pem} did not work: the 
friendly name attribute was not set on the certificate. Only the 
localKeyID property was set. I verified the pkcs12 output with {pkcs12 
-in pkcs12.p12 -info}.

When I changed the code to:

         if (!PKCS12_add_friendlyname(bag, "HARDCODED FRIENDLYNAME", -1))
             goto err;

the friendly name of the certificate was set properly to the hardcoded 
value, and the private key friendly name was set to the -name option 
(presumably the name local variable in the same function).

Any ideas on why the alias name is not getting used?

I looked into PKCS12_add_cert (also in p12_crt.c) and did not see 
anything particularly amiss. That function calls X509_alias_get0 -> 
PKCS12_add_friendlyname. As long as the certificate structure has the 
"aux" appendage, it should work. I ran {x509 -in aliasedcert.pem -alias} 
and the proper alias was output. Therefore, I am thinking that something 
is going on with certificate processing prior to the PKCS12_create call, 
which strips the aux information.

Kind regards,


More information about the openssl-users mailing list