1.\" $OpenBSD: PKCS12_create.3,v 1.4 2016/11/28 22:41:38 schwarze Exp $ 2.\" OpenSSL 05ea606a May 20 20:52:46 2016 -0400 3.\" 4.\" This file was written by Dr. Stephen Henson <steve@openssl.org>. 5.\" Copyright (c) 2002, 2015 The OpenSSL Project. All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in 16.\" the documentation and/or other materials provided with the 17.\" distribution. 18.\" 19.\" 3. All advertising materials mentioning features or use of this 20.\" software must display the following acknowledgment: 21.\" "This product includes software developed by the OpenSSL Project 22.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 23.\" 24.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 25.\" endorse or promote products derived from this software without 26.\" prior written permission. For written permission, please contact 27.\" openssl-core@openssl.org. 28.\" 29.\" 5. Products derived from this software may not be called "OpenSSL" 30.\" nor may "OpenSSL" appear in their names without prior written 31.\" permission of the OpenSSL Project. 32.\" 33.\" 6. Redistributions of any form whatsoever must retain the following 34.\" acknowledgment: 35.\" "This product includes software developed by the OpenSSL Project 36.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" 37.\" 38.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 39.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 40.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 41.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 42.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 43.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 44.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 45.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 46.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 47.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 48.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 49.\" OF THE POSSIBILITY OF SUCH DAMAGE. 50.\" 51.Dd $Mdocdate: November 28 2016 $ 52.Dt PKCS12_CREATE 3 53.Os 54.Sh NAME 55.Nm PKCS12_create 56.Nd create a PKCS#12 structure 57.Sh SYNOPSIS 58.In openssl/pkcs12.h 59.Ft PKCS12 * 60.Fo PKCS12_create 61.Fa "char *pass" 62.Fa "char *name" 63.Fa "EVP_PKEY *pkey" 64.Fa "X509 *cert" 65.Fa "STACK_OF(X509) *ca" 66.Fa "int nid_key" 67.Fa "int nid_cert" 68.Fa "int iter" 69.Fa "int mac_iter" 70.Fa "int keytype" 71.Fc 72.Sh DESCRIPTION 73.Fn PKCS12_create 74creates a PKCS#12 structure. 75.Pp 76.Fa pass 77is the passphrase to use. 78.Fa name 79is the 80.Sy friendlyName 81to use for the supplied certificate and key. 82.Fa pkey 83is the private key to include in the structure and 84.Fa cert 85its corresponding certificates. 86.Fa ca 87is an optional set of certificates to also include in the structure. 88.Fa pkey , 89.Fa cert , 90or both can be 91.Dv NULL 92to indicate that no key or certificate is required. 93.Pp 94.Fa nid_key 95and 96.Fa nid_cert 97are the encryption algorithms that should be used for the key and 98certificate, respectively. 99If either 100.Fa nid_key 101or 102.Fa nid_cert 103is set to -1, no encryption will be used. 104.Pp 105.Fa iter 106is the encryption algorithm iteration count to use and 107.Fa mac_iter 108is the MAC iteration count to use. 109If 110.Fa mac_iter 111is set to -1, the MAC will be omitted entirely. 112.Pp 113.Fa keytype 114is the type of key. 115.Pp 116The parameters 117.Fa nid_key , 118.Fa nid_cert , 119.Fa iter , 120.Fa mac_iter , 121and 122.Fa keytype 123can all be set to zero and sensible defaults will be used. 124.Pp 125These defaults are: 40-bit RC2 encryption for certificates, triple DES 126encryption for private keys, a key iteration count of 127PKCS12_DEFAULT_ITER (currently 2048) and a MAC iteration count of 1. 128.Pp 129The default MAC iteration count is 1 in order to retain compatibility 130with old software which did not interpret MAC iteration counts. 131If such compatibility is not required then 132.Fa mac_iter 133should be set to PKCS12_DEFAULT_ITER. 134.Pp 135.Fa keytype 136adds a flag to the store private key. 137This is a non-standard extension that is only currently interpreted by 138MSIE. 139If set to zero the flag is omitted; if set to 140.Dv KEY_SIG 141the key can be used for signing only; and if set to 142.Dv KEY_EX 143it can be used for signing and encryption. 144This option was useful for old export grade software which could use 145signing only keys of arbitrary size but had restrictions on the 146permissible sizes of keys which could be used for encryption. 147.Pp 148If a certificate contains an 149.Sy alias 150or 151.Sy keyid 152then this will be used for the corresponding 153.Sy friendlyName 154or 155.Sy localKeyID 156in the PKCS12 structure. 157.Sh SEE ALSO 158.Xr d2i_PKCS12 3 159.Sh HISTORY 160PKCS12_create was added in OpenSSL 0.9.3. 161.Pp 162Before OpenSSL 0.9.8, neither 163.Fa pkey 164nor 165.Fa cert 166were allowed to be 167.Dv NULL , 168and a value of -1 was not allowed for 169.Fa nid_key , 170.Fa nid_cert , 171and 172.Fa mac_iter . 173