> From: Newbie User <n3wbie001@xxxxxxxxx> > Sent: Wednesday, 1 March, 2023 07:32 > I also saw a keypbe option. Do we have any official docs for all these? Didn't see anything explained in > OpenSSL docs for this. I don't know where you were looking, but: https://www.openssl.org/docs/man1.1.1/man1/pkcs12.html lists the -keypbe and -certpbe options, and in the Notes section it refers you to the pkcs8 man page: https://www.openssl.org/docs/man1.1.1/man1/pkcs8.html and the Notes section of *that* page lists the available suites you can use. I believe the OpenSSL 3.0 man pages are similar. I haven't looked at the 1.0.2 man pages recently. > Also why isn't it by default 3DES as RC2 is deprecated long time back. That I can't answer. There was an issue raised a few years ago (https://github.com/openssl/openssl/issues/12227) which pointed out in 3.0 RC2 requires the legacy provider, so with 3.0 you have to use either -certpbe or -provider or openssl pkcs12 fails. I didn't see one about using an RC2-based PBE for the default certificate PBE, but maybe there is one. If not, you could raise it. -- Michael Wojcik
