Info |
---|
This article is valid for Certificate Manager 8.5 and later. |
Excerpt |
---|
pkcs12 is a command-line program used to perform operations on PKCS #12 and PKCS #10 files.
|
The program is located in the <install_root>/tools directory relative to where
...
Smart ID Certificate Manager (CM) is installed. The available set of commands with their supported options and arguments are detailed below the example section.
Generate a PKCS10 request
Expand |
---|
|
This is the syntax for "Generate a PKCS10 request" Code Block |
---|
pkcs12 <pkcs12-file> <password> [-friendlyname <name>] [-localkeyid <id>]
[- |
|
...
provider {<name>|<classname>}]
-certrequest <subject-dn> [-signalgorithm <signAlgId>] |
|
Expand |
---|
title | Options and arguments |
---|
|
These are the options and arguments for "Generate a PKCS10 request": Options and arguments | Description |
---|
<pkcs12-file> | The required path and file name of the P12 file to read from or write to. | <password> | The required password for the PKCS12 soft token. | -certrequest <subject-dn> | The required designated name of the subject in the PKCS10 Request. | -friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. | -localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used. | -signalgorithm <signAlgId> | The optional signature algorithm to use, for example, SHA384withECDSA or SHA256withRSAandMGF1. The default algorithm is SHA256withDSA, ECDSA, -RSA |
|
...
. | -provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. |
|
Expand |
---|
|
Generate a PKCS10 request using a PKCS12 file: Code Block |
---|
pkcs12 example.p12 password |
|
...
-certrequest "O=Nexus,CN=My Name" -friendlyname name |
|
Add a key pair to a PKCS12 soft token
Expand |
---|
|
This is the syntax for "Add a key pair to a PKCS12 soft token" Code Block |
---|
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount> |
|
...
]
[-provider {<name>|<classname>}]
{-ec [-curve <ec-curve>] | {-dsa | -rsa} [-keylength <length>]}
[-keyalgorithm <keyAlgId>] [-signalgorithm <signAlgId>] |
|
Expand |
---|
title | Options and arguments |
---|
|
These are the options and arguments for "Add a key pair to a PKCS12 soft token": Options and arguments | Description |
---|
<pkcs12-file> | The required path and file name of the P12 file to read from or write to. | <password> | The optional password for the PKCS12 soft token. | -friendlyname <name> | The optional friendly name for the new key pair stored in the PKCS12 soft token. | -localkeyid <id> | The optional local key id for the new key pair stored in the PKCS12 soft token. If left unset a random id is generated. | -encryptalgorithm {aes128| aes192|aes256|des3} | The optional encryption-algorithm to use. Choose one of aes128 , aes192 , aes256 or des3 (default). | -iterations <amount> | The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file. | - |
|
...
provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. | -ec | Generates a new EC (elliptic curve) key pair. | -curve <ec-curve> | The optional curve to use for the new EC (elliptic curve) key pair, default is secp256r1. | -dsa | Generates a new DSA key pair. | -rsa | Generates a new RSA key pair. | -keylength <length> | The optional length of the RSA/DSA key pair to be generated, default is 2048 bits for RSA and 1024 bits for DSA. | -keyalgorithm <keyAlgID> | The optional key algorithm to use. | -signalgorithm <SignAlgId> | The optional signature algorithm to use. |
|
Expand |
---|
|
Generate an RSA key pair and store in a PKCS12 file: Code Block |
---|
pkcs12 example.p12 password - |
|
...
Generate an EC key pair and store in a PKCS12 file: Code Block |
---|
pkcs12 example.p12 password - |
|
...
Add a certificate to a PKCS12 soft token
Expand |
---|
|
This is the syntax for "Add a certificate to a PKCS12 soft token": Code Block |
---|
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[- |
|
...
provider {<name>|<classname>}] -updatecert <cert-file> |
|
Expand |
---|
title | Options and arguments |
---|
|
These are the options and arguments for "Add a certificate to a PKCS12 soft token": Options and arguments | Description |
---|
<pkcs12-file> | The required path and file name of the P12 file to read from or write to. | <password> | The optional password for the PKCS12 soft token. | -friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. | -localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used. | -encryptalgorithm {aes128| aes192|aes256|des3} | The optional encryption-algorithm to use.Choose one of aes128 , aes192 , aes256 or des3 (default). | -iterations <amount> | The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file |
|
...
. | -provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. | -updatecert <cert-file> | The required name of the certificate file to add to the PKCS12 soft token. |
|
Expand |
---|
|
Add a certificate to a PKCS12 file: Code Block |
---|
pkcs12 example.p12 password -updatecert certificate.cer -friendlyname name |
|
Remove a key pair from a PKCS12 soft token
Expand |
---|
|
This is the syntax for "Remove a key pair from a PKCS12 soft token": Code Block |
---|
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[- |
|
...
provider {<name>|<classname>}] -remove |
|
Expand |
---|
title | Options and arguments |
---|
|
These are the options and arguments for "Remove a key pair from a PKCS12 soft token": Options and arguments | Description |
---|
<pkcs12-file> | The required path and file name of the P12 file to read from or write to. | <password> | The optional password for the PKCS12 soft token. | -friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. | -localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used. | -encryptalgorithm {aes128| aes192|aes256|des3} | The optional encryption-algorithm to use. Choose one of aes128 , aes192 , aes256 or des3 (default). | -iterations <amount> | The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file. | - |
|
...
...
{<name>|<classname>} | The optional name or classname of the JCE provider to use. | -remove | The required flag signalling that the designated key pair should be removed from the PKCS12 soft token. |
|
Expand |
---|
|
Remove a key pair from a PKCS12 file: Code Block |
---|
pkcs12 example.p12 password -remove -friendlyname name |
|
Export or view the contents of a PKCS12 soft token
Expand |
---|
|
This is the syntax for "Export or view the contents of a PKCS12 soft token": Code Block |
---|
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id> |
|
...
]
[-provider {<name>|<classname>}] [-all] [-out <bag-filename-prefix>] |
|
Expand |
---|
title | Options and arguments |
---|
|
These are the options and arguments for "Export or view the contents of a PKCS12 soft token": Options and arguments | Description |
---|
<pkcs12-file> | The required path and file name of the P12 file to read from or write to. | <password> | The optional password for the PKCS12 soft token. | -friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. | -localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used. | - |
|
...
...
{<name>|<classname>} | The optional name or classname of the JCE provider to use. | -all | The optional flag signalling that everything in the stored certificate should be printed. | -out <bag-filename-prefix> | The optional flag signalling that everything in the stored PKCS12 soft token should be exported with the given prefix. |
|
Expand |
---|
|
Detail the contents of a PKCS12 file: Code Block |
---|
pkcs12 example.p12 password -all |
Extract the contents of a PKCS12 file: Code Block |
---|
pkcs12 example.p12 password -out example |
|
...
This article is valid from CM 8.1
Related information
...