![]() ![]() When reading a PKCS#12 file, OpenSSL itself tries to distinguish "no password" and "empty password" only by guessing. Firefox also had this issue in the very beginning but it was fixed 13 years ago. This can cause issues in macOS and iOS, as Apple assumes that PKCS#12 always has a password set and it won't allow you to enter an "empty password", so if a file has an empty password set, it's impossible to import it on these systems. ![]() The reason why this works like no password in some cases is that some software will try to read PKCS#12 files with an empty string password first and only if that fails, prompt the user for an actual password, so if the password is empty, the user won't ever be prompted in these cases making it look like there is "no password" set. Just hitting return when prompted for a password also won't mean "no password" but it means "empty password" (your password is an empty string), which is legal. The options for PKCS12 file creation are as follows: The options for parsing a PKCS12 file are as follows:īut you are not parsing such a file, you are creating it and if you look at You can change the algorithms for either key or certificate using the options -keypbe and -certpbe.Īlso for openssl pkcs12 the -nodes option is only listed in the section: So unless you use this option, the certificates are encrypted using RC2. By default, the private key isĮncrypted using triple DES and the certificate using 40-bit RC2. Unreadable by some "export grade" software. See documentation of -descert which says:Įncrypt the certificate using triple DES this may render the PKCS#12 file It also supports MFA, unlike iCloud Keychain, and does have the ability to support multiple platforms if you upgrade to a premium plan. nodes means "don't encrypt private key" but in a PKCS#12 file, the certificates are encrypted as well, so even with -nodes you'd need an export password. ![]() Tl dr If you explicitly set the encryption algorithms both to NONE (the one for the key and the one for the cert), you will still have to provide a password but as no encryption is performed, it won't matter which password you provide as the password is simply ignored and the resulting file is not encrypted.įor a full command line sample, check out this reply: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |