MS> On Fri, Feb 13, 2015 at 11:33 AM, Sean Leonard <dev+openssl at seantek.com> wrote: >> Using the openssl pkcs12 -export command, is it possible to specify a >> "-certpbe" value that does not do encryption? Perhaps you only want >> integrity protection--you don't care whether the certificates are shrouded. >> The PKCS #12 standard seems to imply that "certBags" can be used as-is; >> however, all examples of PKCS #12 files that I have seen encrypt the >> certificates. >> Will other common crypto stacks be able to process such a PKCS #12 file >> (that does not encrypt the certificates)? MS> Whenever I hear someone talking about encrypting a certificate, I MS> conclude that they are horribly confused. A cert is signed, over the MS> entire contents, so integrity is reducible to the cryptographic MS> algorithms employed. A cert is not a secret, does not contain secrets, MS> etc. It's easy to make a mistake and... ...type "cert" when you really mean "key." ...not remember/understand/grok that PKCS12 files often contain both certs and keys. [And that both can be encrypted.] BTW, as long as we're talking about p12's and encryption. It's my experience that using a cipher other than 3DES [i.e. AES128/256] won't be handled well [i.e. not at all] by current versions of Windows or OSX. I know that's not the direction of the question, and only oblique to it, but perhaps it's useful. -Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150213/1b0711f0/attachment-0001.html>
