I inspected the default one and it had RC2. The certpbe and keypbe are there but no explanation like others on the same page.
Tried certpbe didn't work seems application was using FIPS so used Keypbe to replace AES-CBC with 3DES. It worked then. Thanks
On Wed, Mar 1, 2023, 11:20 PM Michael Wojcik via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
> From: Newbie User <n3wbie001@xxxxxxxxx>
> Sent: Wednesday, 1 March, 2023 07:32
> I also saw a keypbe option. Do we have any official docs for all these? Didn't see anything explained in
> OpenSSL docs for this.
I don't know where you were looking, but:
https://www.openssl.org/docs/man1.1.1/man1/pkcs12.html
lists the -keypbe and -certpbe options, and in the Notes section it refers you to the pkcs8 man page:
https://www.openssl.org/docs/man1.1.1/man1/pkcs8.html
and the Notes section of *that* page lists the available suites you can use. I believe the OpenSSL 3.0 man pages are similar. I haven't looked at the 1.0.2 man pages recently.
> Also why isn't it by default 3DES as RC2 is deprecated long time back.
That I can't answer. There was an issue raised a few years ago (https://github.com/openssl/openssl/issues/12227) which pointed out in 3.0 RC2 requires the legacy provider, so with 3.0 you have to use either -certpbe or -provider or openssl pkcs12 fails. I didn't see one about using an RC2-based PBE for the default certificate PBE, but maybe there is one. If not, you could raise it.
--
Michael Wojcik
