Generating PFX with 3DES

Michael Wojcik Michael.Wojcik at
Wed Mar 1 17:49:27 UTC 2023

> From: Newbie User <n3wbie001 at> 
> Sent: Wednesday, 1 March, 2023 07:32

> I also saw a keypbe option. Do we have any official docs for all these? Didn't see anything explained in
> OpenSSL docs for this.

I don't know where you were looking, but:

lists the -keypbe and -certpbe options, and in the Notes section it refers you to the pkcs8 man page:

and the Notes section of *that* page lists the available suites you can use. I believe the OpenSSL 3.0 man pages are similar. I haven't looked at the 1.0.2 man pages recently.

> Also why isn't it by default 3DES as RC2 is deprecated long time back.

That I can't answer. There was an issue raised a few years ago ( which pointed out in 3.0 RC2 requires the legacy provider, so with 3.0 you have to use either -certpbe or -provider or openssl pkcs12 fails. I didn't see one about using an RC2-based PBE for the default certificate PBE, but maybe there is one. If not, you could raise it.

Michael Wojcik

More information about the openssl-users mailing list