On 2/13/2015 12:12 PM, Dr. Stephen Henson wrote: > On Fri, Feb 13, 2015, Sean Leonard wrote: > >> Using the openssl pkcs12 -export command, is it possible to specify >> a "-certpbe" value that does not do encryption? Perhaps you only >> want integrity protection--you don't care whether the certificates >> are shrouded. The PKCS #12 standard seems to imply that "certBags" >> can be used as-is; however, all examples of PKCS #12 files that I >> have seen encrypt the certificates. >> > Try -certpbe NONE Thank you! That did the trick. The resultant PKCS #12 file contains the certBag type containing OCTET STRINGS identified as x509Certificate, containing the binary certificates. A partial analyzed example from "asn1js" is included for doubters. Importing this PKCS #12 file into Microsoft CryptoAPI, Mozilla NSS, and Apple Mac OS X Keychain succeeded in all cases. (Note that the -macalg was not changed; it used the default of SHA-1.) Best regards, Sean -------------- next part -------------- A non-text attachment was scrubbed... Name: shows-certbag-oids-example.png Type: image/png Size: 22280 bytes Desc: not available URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150213/0d65b1b7/attachment-0001.png>
