Generating PFX with 3DES

Newbie User n3wbie001 at
Thu Mar 2 18:54:26 UTC 2023

I inspected the default one and it had RC2. The certpbe and keypbe are
there but no explanation like others on the same page.

Tried certpbe didn't work seems application was using FIPS so used Keypbe
to replace AES-CBC with 3DES. It worked then. Thanks

On Wed, Mar 1, 2023, 11:20 PM Michael Wojcik via openssl-users <
openssl-users at> wrote:

> > From: Newbie User <n3wbie001 at>
> > Sent: Wednesday, 1 March, 2023 07:32
> > I also saw a keypbe option. Do we have any official docs for all these?
> Didn't see anything explained in
> > OpenSSL docs for this.
> I don't know where you were looking, but:
> lists the -keypbe and -certpbe options, and in the Notes section it refers
> you to the pkcs8 man page:
> and the Notes section of *that* page lists the available suites you can
> use. I believe the OpenSSL 3.0 man pages are similar. I haven't looked at
> the 1.0.2 man pages recently.
> > Also why isn't it by default 3DES as RC2 is deprecated long time back.
> That I can't answer. There was an issue raised a few years ago (
> which pointed out in 3.0
> RC2 requires the legacy provider, so with 3.0 you have to use either
> -certpbe or -provider or openssl pkcs12 fails. I didn't see one about using
> an RC2-based PBE for the default certificate PBE, but maybe there is one.
> If not, you could raise it.
> --
> Michael Wojcik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list