On 2/13/2015 12:23 PM, Dr. Stephen Henson wrote: > On Fri, Feb 13, 2015, Sean Leonard wrote: > >> Using the openssl pkcs12 -export command, how can one specify a >> different friendlyName attribute for the private key? >> >> For example, consider the command: >> openssl pkcs12 -export -out pkcs12.p12 -name "sean key 2015" -inkey >> key.txt -in user.crt -name "sean user cert 2015" -certfile >> othercerts.txt >> > I'm curious as to why you want to do this. Well, as a PKI and S/MIME developer I am researching how various bits of information relating to crypto objects can be preserved between systems. It is useful to set the cert and key friendly names independently for certain development and possibly usability reasons. Development reasons include needing to address the private key specifically, regardless of whether it is associated with any particular certificate, and to see when certificates have private key (instances) on particular crypto tokens. Usability reasons include distinguishing between certificates and private keys for users, who tend to get confused about these things because virtually no existing UIs meaningfully distinguish between the two (usually certificates for which you have a private key are simply called "certificates", or possibly "your certificates"...thus a user sends "your [his/her] certificate" and while the user's mental model is that the certificate is intended to be shared, the user unwittingly sends along a p12 file with a simple password like 123456). Whether the usability is an area of research that I am looking into. No pronouncements can be made one way or another yet. Suffice to say that the technical capability has to exist at the lower layer before one can evaluate usability enhancements at higher layers. > > If no friendlyname is specified on the command line an "alias" associated with > the certificate is used instead. You can associate an alias with a certificate > like this: > > openssl x509 -in cert.pem -setalias "some name" -out newcert.pem > > Unfortunately the -name option specified on the command line will also be > used even if there is an alias present. You can change this by looking in > crypto/pkcs12/p12_crt.c in the function PKCS12_create. Comment out the > following lines: > > if (name && !PKCS12_add_friendlyname(bag, name, -1)) > goto err; > > Then you can specify the certificate friendlyname using the alias and the > private key friendly name using the command line -name option. Sounds good...I will attempt this and report back. Ah, the TRUSTED CERTIFICATE format returns... Sean
