This article is valid for Certificate Manager 8.5 and later.
| Excerpt |
|---|
pkcs12 is a command-line program used to perform operations on PKCS #12 and PKCS #10 files.
|
The program is located in the <install_root>/tools directory relative to where Smart ID Certificate Manager (CM) is installed. The available set of commands with their supported options and arguments are detailed below the example section.
Generate a PKCS10 request
| Expand |
|---|
|
This is the syntax for "Generate a PKCS10 request" | Code Block |
|---|
pkcs12 <pkcs12-file> <password> [-friendlyname <name>] [-localkeyid <id>]
[-provider {<name>|<classname>}]
-certrequest <subject-dn> [-signalgorithm <signAlgId>] |
|
| Expand |
|---|
| title | Options and arguments |
|---|
|
These are the options and arguments for "Generate a PKCS10 request": | Options and arguments | Description |
|---|
| <pkcs12-file> | The required path and file name of the P12 file to read from or write to. | | <password> | The required password for the PKCS12 soft token. | | -certrequest <subject-dn> | The required designated name of the subject in the PKCS10 Request. | | -friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. | | -localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used. | | -signalgorithm <signAlgId> | The optional signature algorithm to use, for example, SHA384withECDSA or SHA256withRSAandMGF1. The default algorithm is SHA256withDSA, ECDSA, -RSA. | | -provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. |
|
| Expand |
|---|
|
Generate a PKCS10 request using a PKCS12 file: | Code Block |
|---|
pkcs12 example.p12 password -certrequest "O=Nexus,CN=My Name" -friendlyname name |
|
Add a key pair to a PKCS12 soft token
| Expand |
|---|
|
This is the syntax for "Add a key pair to a PKCS12 soft token" | Code Block |
|---|
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-provider {<name>|<classname>}]
{-ec [-curve <ec-curve>] | {-dsa | -rsa} [-keylength <length>]}
[-keyalgorithm <keyAlgId>] [-signalgorithm <signAlgId>] |
|
| Expand |
|---|
| title | Options and arguments |
|---|
|
These are the options and arguments for "Add a key pair to a PKCS12 soft token": | Options and arguments | Description |
|---|
| <pkcs12-file> | The required path and file name of the P12 file to read from or write to. | | <password> | The optional password for the PKCS12 soft token. | | -friendlyname <name> | The optional friendly name for the new key pair stored in the PKCS12 soft token. | | -localkeyid <id> | The optional local key id for the new key pair stored in the PKCS12 soft token. If left unset a random id is generated. | -encryptalgorithm {aes128|
aes192|aes256|des3} | The optional encryption-algorithm to use. Choose one of aes128, aes192, aes256 or des3 (default). | | -iterations <amount> | The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file. | | -provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. | | -ec | Generates a new EC (elliptic curve) key pair. | | -curve <ec-curve> | The optional curve to use for the new EC (elliptic curve) key pair, default is secp256r1. | | -dsa | Generates a new DSA key pair. | | -rsa | Generates a new RSA key pair. | | -keylength <length> | The optional length of the RSA/DSA key pair to be generated, default is 2048 bits for RSA and 1024 bits for DSA. | | -keyalgorithm <keyAlgID> | The optional key algorithm to use. | | -signalgorithm <SignAlgId> | The optional signature algorithm to use. |
|
| Expand |
|---|
|
Generate an RSA key pair and store in a PKCS12 file: | Code Block |
|---|
pkcs12 example.p12 password -rsa |
Generate an EC key pair and store in a PKCS12 file: | Code Block |
|---|
pkcs12 example.p12 password -ec |
|
Add a certificate to a PKCS12 soft token
| Expand |
|---|
|
This is the syntax for "Add a certificate to a PKCS12 soft token": | Code Block |
|---|
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-provider {<name>|<classname>}] -updatecert <cert-file> |
|
| Expand |
|---|
| title | Options and arguments |
|---|
|
These are the options and arguments for "Add a certificate to a PKCS12 soft token": | Options and arguments | Description |
|---|
| <pkcs12-file> | The required path and file name of the P12 file to read from or write to. | | <password> | The optional password for the PKCS12 soft token. | | -friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. | | -localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used. | -encryptalgorithm {aes128|
aes192|aes256|des3} | The optional encryption-algorithm to use.Choose one of aes128, aes192, aes256 or des3 (default). | | -iterations <amount> | The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file. | | -provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. | | -updatecert <cert-file> | The required name of the certificate file to add to the PKCS12 soft token. |
|
| Expand |
|---|
|
Add a certificate to a PKCS12 file: | Code Block |
|---|
pkcs12 example.p12 password -updatecert certificate.cer -friendlyname name |
|
Remove a key pair from a PKCS12 soft token
| Expand |
|---|
|
This is the syntax for "Remove a key pair from a PKCS12 soft token": | Code Block |
|---|
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-provider {<name>|<classname>}] -remove |
|
| Expand |
|---|
| title | Options and arguments |
|---|
|
These are the options and arguments for "Remove a key pair from a PKCS12 soft token": | Options and arguments | Description |
|---|
| <pkcs12-file> | The required path and file name of the P12 file to read from or write to. | | <password> | The optional password for the PKCS12 soft token. | | -friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. | | -localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used. | -encryptalgorithm {aes128|
aes192|aes256|des3} | The optional encryption-algorithm to use. Choose one of aes128, aes192, aes256 or des3 (default). | | -iterations <amount> | The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file. | | -provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. | | -remove | The required flag signalling that the designated key pair should be removed from the PKCS12 soft token. |
|
| Expand |
|---|
|
Remove a key pair from a PKCS12 file: | Code Block |
|---|
pkcs12 example.p12 password -remove -friendlyname name |
|
Export or view the contents of a PKCS12 soft token
| Expand |
|---|
|
This is the syntax for "Export or view the contents of a PKCS12 soft token": | Code Block |
|---|
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-provider {<name>|<classname>}] [-all] [-out <bag-filename-prefix>] |
|
| Expand |
|---|
| title | Options and arguments |
|---|
|
These are the options and arguments for "Export or view the contents of a PKCS12 soft token": | Options and arguments | Description |
|---|
| <pkcs12-file> | The required path and file name of the P12 file to read from or write to. | | <password> | The optional password for the PKCS12 soft token. | | -friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. | | -localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used. | | -provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. | | -all | The optional flag signalling that everything in the stored certificate should be printed. | | -out <bag-filename-prefix> | The optional flag signalling that everything in the stored PKCS12 soft token should be exported with the given prefix. |
|
| Expand |
|---|
|
Detail the contents of a PKCS12 file: | Code Block |
|---|
pkcs12 example.p12 password -all |
Extract the contents of a PKCS12 file: | Code Block |
|---|
pkcs12 example.p12 password -out example |
|
...
This article is valid for Certificate Manager 8.5 and later.
Related information
...
