diff options
| author | Sahana Prasad <sahana@redhat.com> | 2020-07-22 13:36:36 +0200 |
|---|---|---|
| committer | Tomas Mraz <tmraz@fedoraproject.org> | 2020-08-06 18:03:29 +0200 |
| commit | 15c9aa3aef77c642ef2b6c84bba2b57b35ed083e (patch) | |
| tree | 3563d1fe633f075353a74e8fe1c95c28b6ca3205 /doc/man1/openssl-pkcs12.pod.in | |
| parent | 1b2873e4a1ed49b45555eb9a6ecff4d38df8d7e9 (diff) | |
apps/pkcs12: Change defaults from RC2 to PBES2 with PBKDF2
Fixes #11672
Add "-legacy" option to load the legacy provider and
fall back to the old legacy default algorithms.
doc/man1/openssl-pkcs12.pod.in: updates documentation about the new
"-legacy" option
Signed-off-by: Sahana Prasad <sahana@redhat.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12540)
Diffstat (limited to 'doc/man1/openssl-pkcs12.pod.in')
| -rw-r--r-- | doc/man1/openssl-pkcs12.pod.in | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in index 3a97a81517..90d8a7e19e 100644 --- a/doc/man1/openssl-pkcs12.pod.in +++ b/doc/man1/openssl-pkcs12.pod.in @@ -44,6 +44,7 @@ B<openssl> B<pkcs12> [B<-maciter>] [B<-nomac>] [B<-twopass>] +[B<-legacy>] [B<-descert>] [B<-certpbe> I<cipher>] [B<-keypbe> I<cipher>] @@ -166,6 +167,16 @@ always assumes these are the same so this option will render such PKCS#12 files unreadable. Cannot be used in combination with the options B<-password>, B<-passin> if importing, or B<-passout> if exporting. +=item B<-legacy> + +Use legacy mode of operation and automatically load the legacy provider. +In the legacy mode, the default algorithm for certificate encryption +is RC2_CBC or 3DES_CBC depending on whether the RC2 cipher is enabled +in the build. The default algorithm for private key encryption is 3DES_CBC. +If the legacy option is not specified, then the legacy provider is not loaded +and the default encryption algorithm for both certificates and private keys is +AES_256_CBC with PBKDF2 for key derivation by default. + =back =head1 FILE CREATION OPTIONS @@ -229,8 +240,9 @@ for this search. If the search fails it is considered a fatal error. Encrypt the certificate using triple DES, this may render the PKCS#12 file unreadable by some "export grade" software. By default the private -key is encrypted using triple DES and the certificate using 40 bit RC2 -unless RC2 is disabled in which case triple DES is used. +key is encrypted using AES and the certificate using triple DES unless +the '-legacy' option is used. If '-descert' is used with the '-legacy' +then both, the private key and the certificate are encrypted using triple DES. =item B<-keypbe> I<alg>, B<-certpbe> I<alg> @@ -355,6 +367,10 @@ Print some info about a PKCS#12 file: openssl pkcs12 -in file.p12 -info -noout +Print some info about a PKCS#12 file in legacy mode: + + openssl pkcs12 -in file.p12 -info -noout -legacy + Create a PKCS#12 file: openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" @@ -364,6 +380,10 @@ Include some extra certificates: openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \ -certfile othercerts.pem +Export a PKCS#12 file with default encryption algorithms as in the legacy provider: + + openssl pkcs12 -export -in cert.pem -inkey key.pem -out file.p12 -legacy + =head1 SEE ALSO L<openssl(1)>, |