diff options
Diffstat (limited to 'secure/usr.bin/openssl/man/pkcs12.1')
-rw-r--r-- | secure/usr.bin/openssl/man/pkcs12.1 | 125 |
1 files changed, 60 insertions, 65 deletions
diff --git a/secure/usr.bin/openssl/man/pkcs12.1 b/secure/usr.bin/openssl/man/pkcs12.1 index 4762491..0eb7690 100644 --- a/secure/usr.bin/openssl/man/pkcs12.1 +++ b/secure/usr.bin/openssl/man/pkcs12.1 @@ -1,8 +1,7 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Wed Feb 19 16:49:35 2003 +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 .\" .\" Standard preamble: -.\" ====================================================================== +.\" ======================================================================== .de Sh \" Subsection heading .br .if t .Sp @@ -15,12 +14,6 @@ .if t .sp .5v .if n .sp .. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. .de Vb \" Begin verbatim text .ft CW .nf @@ -28,15 +21,14 @@ .. .de Ve \" End verbatim text .ft R - .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to +.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' +.\" expand to `' in nroff, nothing in troff, for use with C<>. .tr \(*W-|\(bv\*(Tr .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ @@ -56,10 +48,10 @@ . ds R" '' 'br\} .\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. .if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" @@ -68,14 +60,13 @@ . rr F .\} .\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. .hy 0 .if n .na .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 @@ -135,11 +126,10 @@ . ds Ae AE .\} .rm #[ #] #H #V #F C -.\" ====================================================================== +.\" ======================================================================== .\" .IX Title "PKCS12 1" -.TH PKCS12 1 "0.9.7a" "2003-02-19" "OpenSSL" -.UC +.TH PKCS12 1 "2005-02-25" "0.9.7d" "OpenSSL" .SH "NAME" pkcs12 \- PKCS#12 file utility .SH "SYNOPSIS" @@ -175,7 +165,7 @@ pkcs12 \- PKCS#12 file utility [\fB\-password arg\fR] [\fB\-passin arg\fR] [\fB\-passout arg\fR] -[\fB\-rand \f(BIfile\fB\|(s)\fR] +[\fB\-rand file(s)\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBpkcs12\fR command allows PKCS#12 files (sometimes referred to as @@ -188,124 +178,124 @@ is being created or parsed. By default a PKCS#12 file is parsed a PKCS#12 file can be created by using the \fB\-export\fR option (see below). .SH "PARSING OPTIONS" .IX Header "PARSING OPTIONS" -.Ip "\fB\-in filename\fR" 4 +.IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies filename of the PKCS#12 file to be parsed. Standard input is used by default. -.Ip "\fB\-out filename\fR" 4 +.IP "\fB\-out filename\fR" 4 .IX Item "-out filename" The filename to write certificates and private keys to, standard output by default. They are all written in \s-1PEM\s0 format. -.Ip "\fB\-pass arg\fR, \fB\-passin arg\fR" 4 +.IP "\fB\-pass arg\fR, \fB\-passin arg\fR" 4 .IX Item "-pass arg, -passin arg" the PKCS#12 file (i.e. input file) password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in -openssl(1). -.Ip "\fB\-passout arg\fR" 4 +\&\fIopenssl\fR\|(1). +.IP "\fB\-passout arg\fR" 4 .IX Item "-passout arg" pass phrase source to encrypt any outputed private keys with. For more information about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in -openssl(1). -.Ip "\fB\-noout\fR" 4 +\&\fIopenssl\fR\|(1). +.IP "\fB\-noout\fR" 4 .IX Item "-noout" this option inhibits output of the keys and certificates to the output file version of the PKCS#12 file. -.Ip "\fB\-clcerts\fR" 4 +.IP "\fB\-clcerts\fR" 4 .IX Item "-clcerts" only output client certificates (not \s-1CA\s0 certificates). -.Ip "\fB\-cacerts\fR" 4 +.IP "\fB\-cacerts\fR" 4 .IX Item "-cacerts" only output \s-1CA\s0 certificates (not client certificates). -.Ip "\fB\-nocerts\fR" 4 +.IP "\fB\-nocerts\fR" 4 .IX Item "-nocerts" no certificates at all will be output. -.Ip "\fB\-nokeys\fR" 4 +.IP "\fB\-nokeys\fR" 4 .IX Item "-nokeys" no private keys will be output. -.Ip "\fB\-info\fR" 4 +.IP "\fB\-info\fR" 4 .IX Item "-info" output additional information about the PKCS#12 file structure, algorithms used and iteration counts. -.Ip "\fB\-des\fR" 4 +.IP "\fB\-des\fR" 4 .IX Item "-des" use \s-1DES\s0 to encrypt private keys before outputting. -.Ip "\fB\-des3\fR" 4 +.IP "\fB\-des3\fR" 4 .IX Item "-des3" use triple \s-1DES\s0 to encrypt private keys before outputting, this is the default. -.Ip "\fB\-idea\fR" 4 +.IP "\fB\-idea\fR" 4 .IX Item "-idea" use \s-1IDEA\s0 to encrypt private keys before outputting. -.Ip "\fB\-nodes\fR" 4 +.IP "\fB\-nodes\fR" 4 .IX Item "-nodes" don't encrypt the private keys at all. -.Ip "\fB\-nomacver\fR" 4 +.IP "\fB\-nomacver\fR" 4 .IX Item "-nomacver" don't attempt to verify the integrity \s-1MAC\s0 before reading the file. -.Ip "\fB\-twopass\fR" 4 +.IP "\fB\-twopass\fR" 4 .IX Item "-twopass" prompt for separate integrity and encryption passwords: most software always assumes these are the same so this option will render such PKCS#12 files unreadable. .SH "FILE CREATION OPTIONS" .IX Header "FILE CREATION OPTIONS" -.Ip "\fB\-export\fR" 4 +.IP "\fB\-export\fR" 4 .IX Item "-export" This option specifies that a PKCS#12 file will be created rather than parsed. -.Ip "\fB\-out filename\fR" 4 +.IP "\fB\-out filename\fR" 4 .IX Item "-out filename" This specifies filename to write the PKCS#12 file to. Standard output is used by default. -.Ip "\fB\-in filename\fR" 4 +.IP "\fB\-in filename\fR" 4 .IX Item "-in filename" The filename to read certificates and private keys from, standard input by default. They must all be in \s-1PEM\s0 format. The order doesn't matter but one private key and its corresponding certificate should be present. If additional certificates are present they will also be included in the PKCS#12 file. -.Ip "\fB\-inkey filename\fR" 4 +.IP "\fB\-inkey filename\fR" 4 .IX Item "-inkey filename" file to read private key from. If not present then a private key must be present in the input file. -.Ip "\fB\-name friendlyname\fR" 4 +.IP "\fB\-name friendlyname\fR" 4 .IX Item "-name friendlyname" This specifies the \*(L"friendly name\*(R" for the certificate and private key. This name is typically displayed in list boxes by software importing the file. -.Ip "\fB\-certfile filename\fR" 4 +.IP "\fB\-certfile filename\fR" 4 .IX Item "-certfile filename" A filename to read additional certificates from. -.Ip "\fB\-caname friendlyname\fR" 4 +.IP "\fB\-caname friendlyname\fR" 4 .IX Item "-caname friendlyname" This specifies the \*(L"friendly name\*(R" for other certificates. This option may be used multiple times to specify names for all certificates in the order they appear. Netscape ignores friendly names on other certificates whereas \s-1MSIE\s0 displays them. -.Ip "\fB\-pass arg\fR, \fB\-passout arg\fR" 4 +.IP "\fB\-pass arg\fR, \fB\-passout arg\fR" 4 .IX Item "-pass arg, -passout arg" the PKCS#12 file (i.e. output file) password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in -openssl(1). -.Ip "\fB\-passin password\fR" 4 +\&\fIopenssl\fR\|(1). +.IP "\fB\-passin password\fR" 4 .IX Item "-passin password" pass phrase source to decrypt any input private keys with. For more information about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in -openssl(1). -.Ip "\fB\-chain\fR" 4 +\&\fIopenssl\fR\|(1). +.IP "\fB\-chain\fR" 4 .IX Item "-chain" if this option is present then an attempt is made to include the entire certificate chain of the user certificate. The standard \s-1CA\s0 store is used for this search. If the search fails it is considered a fatal error. -.Ip "\fB\-descert\fR" 4 +.IP "\fB\-descert\fR" 4 .IX Item "-descert" encrypt the certificate using triple \s-1DES\s0, this may render the PKCS#12 file unreadable by some \*(L"export grade\*(R" software. By default the private key is encrypted using triple \s-1DES\s0 and the certificate using 40 bit \s-1RC2\s0. -.Ip "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4 +.IP "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4 .IX Item "-keypbe alg, -certpbe alg" these options allow the algorithm used to encrypt the private key and certificates to be selected. Although any PKCS#5 v1.5 or PKCS#12 algorithms can be selected it is advisable only to use PKCS#12 algorithms. See the list in the \fB\s-1NOTES\s0\fR section for more information. -.Ip "\fB\-keyex|\-keysig\fR" 4 +.IP "\fB\-keyex|\-keysig\fR" 4 .IX Item "-keyex|-keysig" specifies that the private key is to be used for key exchange or just signing. This option is only interpreted by \s-1MSIE\s0 and similar \s-1MS\s0 software. Normally @@ -315,7 +305,7 @@ option marks the key for signing only. Signing only keys can be used for S/MIME signing, authenticode (ActiveX control signing) and \s-1SSL\s0 client authentication, however due to a bug only \s-1MSIE\s0 5.0 and later support the use of signing only keys for \s-1SSL\s0 client authentication. -.Ip "\fB\-nomaciter\fR, \fB\-noiter\fR" 4 +.IP "\fB\-nomaciter\fR, \fB\-noiter\fR" 4 .IX Item "-nomaciter, -noiter" these options affect the iteration counts on the \s-1MAC\s0 and key algorithms. Unless you wish to produce files compatible with \s-1MSIE\s0 4.0 you should leave @@ -332,16 +322,16 @@ this reduces the file security you should not use these options unless you really have to. Most software supports both \s-1MAC\s0 and key iteration counts. \&\s-1MSIE\s0 4.0 doesn't support \s-1MAC\s0 iteration counts so it needs the \fB\-nomaciter\fR option. -.Ip "\fB\-maciter\fR" 4 +.IP "\fB\-maciter\fR" 4 .IX Item "-maciter" This option is included for compatibility with previous versions, it used to be needed to use \s-1MAC\s0 iterations counts but they are now used by default. -.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 -.IX Item "-rand file" +.IP "\fB\-rand file(s)\fR" 4 +.IX Item "-rand file(s)" a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). +generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +The separator is \fB;\fR for MS\-Windows, \fB,\fR for OpenVMS, and \fB:\fR for all others. .SH "NOTES" .IX Header "NOTES" @@ -363,7 +353,7 @@ the \fB\-nokeys \-cacerts\fR options to just output \s-1CA\s0 certificates. The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption algorithms for private keys and certificates to be specified. Normally the defaults are fine but occasionally software can't handle triple \s-1DES\s0 -encrypted private keys, then the option \fB\-keypbe \s-1PBE-SHA1\-RC2\-40\s0\fR can +encrypted private keys, then the option \fB\-keypbe \s-1PBE\-SHA1\-RC2\-40\s0\fR can be used to reduce the private key encryption to 40 bit \s-1RC2\s0. A complete description of all algorithms is contained in the \fBpkcs8\fR manual page. .SH "EXAMPLES" @@ -373,26 +363,31 @@ Parse a PKCS#12 file and output it to a file: .Vb 1 \& openssl pkcs12 -in file.p12 -out file.pem .Ve +.PP Output only client certificates to a file: .PP .Vb 1 \& openssl pkcs12 -in file.p12 -clcerts -out file.pem .Ve +.PP Don't encrypt the private key: .PP .Vb 1 \& openssl pkcs12 -in file.p12 -out file.pem -nodes .Ve +.PP Print some info about a PKCS#12 file: .PP .Vb 1 \& openssl pkcs12 -in file.p12 -info -noout .Ve +.PP Create a PKCS#12 file: .PP .Vb 1 \& openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" .Ve +.PP Include some extra certificates: .PP .Vb 2 @@ -426,4 +421,4 @@ file from the keys and certificates using a newer version of OpenSSL. For exampl .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" -pkcs8(1) +\&\fIpkcs8\fR\|(1) |