一、简介

pkcs12命令能生成和分析pkcs12文件

 

二、语法

openssl pkcs12 [-export] [-chain] [-inkey filename] [-certfile filename] [-CApath arg] [-CAfile arg] [-name name] [-caname name] [-in filename] [-out filename] [-noout] [-nomacver] [-nocerts] [-clcerts] [-cacerts] [-nokeys] [-info] [-noiter] [-maciter] [-nomaciter] [-nomac] [-twopass] [-descert] [-certpbe alg] [-keypbe alg] [-macalg digest] [-keyex] [-keysig] [-password arg] [-passin arg] [-passout arg] [-rand file(s)] [-LMK] [-CSP name][-engine e] [-des] [-des3] [-aes128] [-aes192] [-aes256] [-idea] [-camellia128] [-camellia192] [-camellia256] [-nodes]

选项

-export       output PKCS12 file-chain        add certificate chain-inkey file   private key if not infile-certfile f   add all certs in f-CApath arg   - PEM format directory of CA's-CAfile arg   - PEM format file of CA's-name "name"  use name as friendly name-caname "nm"  use nm as CA friendly name (can be used more than once).-in  infile   input filename-out outfile  output filename-noout        don't output anything, just verify.-nomacver     don't verify MAC.-nocerts      don't output certificates.-clcerts      only output client certificates.-cacerts      only output CA certificates.-nokeys       don't output private keys.-info         give info about PKCS#12 structure.-des          encrypt private keys with DES-des3         encrypt private keys with triple DES (default)-idea         encrypt private keys with idea-seed         encrypt private keys with seed-aes128, -aes192, -aes256              encrypt PEM output with cbc aes-camellia128, -camellia192, -camellia256              encrypt PEM output with cbc camellia-nodes        don't encrypt private keys-noiter       don't use encryption iteration-nomaciter    don't use MAC iteration-maciter      use MAC iteration-nomac        don't generate MAC-twopass      separate MAC, encryption passwords-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)-certpbe alg  specify certificate PBE algorithm (default RC2-40)-keypbe alg   specify private key PBE algorithm (default 3DES)-macalg alg   digest algorithm used in MAC (default SHA1)-keyex        set MS key exchange type-keysig       set MS key signature type-password p   set import/export password source-passin p     input file pass phrase source-passout p    output file pass phrase source-engine e     use engine e, possibly a hardware device.-rand file:file:...              load the file (or the files in the directory) into              the random number generator-CSP name     Microsoft CSP name-LMK          Add local machine keyset attribute to private key

 

三、实例

1、PKCS与PEM格式互转

1）PEM转成PKCS12文件（包含CA证书、不包含CA证书）

openssl pkcs12 -export -inkey serverprikey.pem -in server.pem -CAfile demoCA/cacert.pem -password pass:"123456" -out server.pfx

openssl pkcs12 -export -inkey serverprikey.pem -in server.pem -password pass:"123456" -out server_nocret.pfx

2）PKCS12转成PEM文件

openssl pkcs12 -in server_nocret.pfx -out server_nocret.pem -nodes -password pass:"123456"

2、查看pkcs12信息

openssl pkcs12 -in server.pfx -password pass:"123456" -info -nocerts –nokeys

 

参考：