Generating PFX with 3DES
Newbie User
n3wbie001 at gmail.com
Thu Mar 2 18:54:26 UTC 2023
I inspected the default one and it had RC2. The certpbe and keypbe are
there but no explanation like others on the same page.
Tried certpbe didn't work seems application was using FIPS so used Keypbe
to replace AES-CBC with 3DES. It worked then. Thanks
On Wed, Mar 1, 2023, 11:20 PM Michael Wojcik via openssl-users <
openssl-users at openssl.org> wrote:
> > From: Newbie User <n3wbie001 at gmail.com>
> > Sent: Wednesday, 1 March, 2023 07:32
>
> > I also saw a keypbe option. Do we have any official docs for all these?
> Didn't see anything explained in
> > OpenSSL docs for this.
>
> I don't know where you were looking, but:
>
> https://www.openssl.org/docs/man1.1.1/man1/pkcs12.html
>
> lists the -keypbe and -certpbe options, and in the Notes section it refers
> you to the pkcs8 man page:
>
> https://www.openssl.org/docs/man1.1.1/man1/pkcs8.html
>
> and the Notes section of *that* page lists the available suites you can
> use. I believe the OpenSSL 3.0 man pages are similar. I haven't looked at
> the 1.0.2 man pages recently.
>
> > Also why isn't it by default 3DES as RC2 is deprecated long time back.
>
> That I can't answer. There was an issue raised a few years ago (
> https://github.com/openssl/openssl/issues/12227) which pointed out in 3.0
> RC2 requires the legacy provider, so with 3.0 you have to use either
> -certpbe or -provider or openssl pkcs12 fails. I didn't see one about using
> an RC2-based PBE for the default certificate PBE, but maybe there is one.
> If not, you could raise it.
>
> --
> Michael Wojcik
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230303/6a91cb66/attachment.htm>
More information about the openssl-users
mailing list