-
=pod
=head1 NAME
=head1 SYNOPSIS
B<openssl> B<pkcs12>
+[B<-help>]
[B<-export>]
[B<-chain>]
[B<-inkey filename>]
=over 4
+=item B<-help>
+
+Print out a usage message.
+
=item B<-in filename>
This specifies filename of the PKCS#12 file to be parsed. Standard input is used
a file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)>).
-Multiple files can be specified separated by a OS-dependent character.
+Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
be used to reduce the private key encryption to 40 bit RC2. A complete
description of all algorithms is contained in the B<pkcs8> manual page.
+Prior 1.1 release passwords containing non-ASCII characters were encoded
+in non-compliant manner, which limited interoperability, in first hand
+with Windows. But switching to standard-compliant password encoding
+poses problem accessing old data protected with broken encoding. For
+this reason even legacy encodings is attempted when reading the
+data. If you use PKCS#12 files in production application you are advised
+to convert the data, because implemented heuristic approach is not
+MT-safe, its sole goal is to facilitate the data upgrade with this
+utility.
+
=head1 EXAMPLES
Parse a PKCS#12 file and output it to a file:
openssl pkcs12 -in file.p12 -clcerts -out file.pem
Don't encrypt the private key:
-
+
openssl pkcs12 -in file.p12 -out file.pem -nodes
Print some info about a PKCS#12 file:
openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \
-certfile othercerts.pem
-=head1 BUGS
-
-Some would argue that the PKCS#12 standard is one big bug :-)
-
-Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation
-routines. Under rare circumstances this could produce a PKCS#12 file encrypted
-with an invalid key. As a result some PKCS#12 files which triggered this bug
-from other implementations (MSIE or Netscape) could not be decrypted
-by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could
-not be decrypted by other implementations. The chances of producing such
-a file are relatively small: less than 1 in 256.
-
-A side effect of fixing this bug is that any old invalidly encrypted PKCS#12
-files cannot no longer be parsed by the fixed version. Under such circumstances
-the B<pkcs12> utility will report that the MAC is OK but fail with a decryption
-error when extracting private keys.
+=head1 SEE ALSO
-This problem can be resolved by extracting the private keys and certificates
-from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12
-file from the keys and certificates using a newer version of OpenSSL. For example:
+L<pkcs8(1)>
- old-openssl -in bad.p12 -out keycerts.pem
- openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12
+=head1 COPYRIGHT
-=head1 SEE ALSO
+Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
-L<pkcs8(1)>
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+=cut