On Fri, Feb 13, 2015 at 11:33 AM, Sean Leonard <dev+openssl at seantek.com> wrote: > Using the openssl pkcs12 -export command, is it possible to specify a > "-certpbe" value that does not do encryption? Perhaps you only want > integrity protection--you don't care whether the certificates are shrouded. > The PKCS #12 standard seems to imply that "certBags" can be used as-is; > however, all examples of PKCS #12 files that I have seen encrypt the > certificates. > > Will other common crypto stacks be able to process such a PKCS #12 file > (that does not encrypt the certificates)? Whenever I hear someone talking about encrypting a certificate, I conclude that they are horribly confused. A cert is signed, over the entire contents, so integrity is reducible to the cryptographic algorithms employed. A cert is not a secret, does not contain secrets, etc. - M
