Info |
---|
This article is valid for Certificate Manager 8.5 and later. |
Excerpt |
---|
pkcs12 is a command-line program used to perform operations on PKCS #12 and PKCS #10 files.
|
The program is located in the <install_root>/tools directory relative to where Smart ID Certificate Manager (CM) is installed. The available set of commands with their supported options and arguments are detailed below the example section.
Generate a PKCS10 request
Expand |
---|
|
This is the syntax for "Generate a PKCS10 request" Code Block |
---|
pkcs12 <pkcs12-file> <password> [-friendlyname <name>] [-localkeyid <id> |
|
...
]
[-provider {<name>|<classname>}]
-certrequest <subject-dn> [-signalgorithm <signAlgId>] |
|
Expand |
---|
title | Options and arguments |
---|
|
These are the options and arguments for "Generate a PKCS10 request": Options and arguments | Description |
---|
<pkcs12-file> | The required path and file name of the P12 file to read from or write to. | <password> | The required password for the PKCS12 soft token. | -certrequest <subject-dn> | The required designated name of the subject in the PKCS10 Request. | -friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. | -localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used. | -signalgorithm <signAlgId> | The optional signature algorithm to use, for example, SHA384withECDSA or SHA256withRSAandMGF1. The default algorithm is SHA256withDSA, ECDSA, -RSA |
|
...
. | -provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. |
|
Expand |
---|
|
Generate a PKCS10 request using a PKCS12 file: Code Block |
---|
pkcs12 example.p12 password - |
|
...
certrequest "O=Nexus,CN=My Name" -friendlyname name |
|
Add a key pair to a PKCS12 soft token
Expand |
---|
|
This is the syntax for "Add a key pair to a PKCS12 soft token" Code Block |
---|
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount> |
|
...
]
[-provider {<name>|<classname>}]
{-ec [-curve <ec-curve>] | {-dsa | -rsa} [-keylength <length>]}
[-keyalgorithm <keyAlgId>] [-signalgorithm <signAlgId>] |
|
Expand |
---|
title | Options and arguments |
---|
|
These are the options and arguments for "Add a key pair to a PKCS12 soft token": Options and arguments | Description |
---|
<pkcs12-file> | The required path and file name of the P12 file to read from or write to. | <password> | The optional password for the PKCS12 soft token. | -friendlyname <name> | The optional friendly name for the new key pair stored in the PKCS12 soft token. | -localkeyid <id> | The optional local key id for the new key pair stored in the PKCS12 soft token. If left unset a random id is generated. | -encryptalgorithm {aes128| aes192|aes256|des3} | The optional encryption-algorithm to use. Choose one of aes128 , aes192 , aes256 or des3 (default). | -iterations <amount> | The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file. | - |
|
...
...
{<name>|<classname>} | The optional name or classname of the JCE provider to use. | -ec | Generates a new EC (elliptic curve) key pair. | -curve <ec-curve> | The optional curve to use for the new EC (elliptic curve) key pair, default is secp256r1. | -dsa | Generates a new DSA key pair. | -rsa | Generates a new RSA key pair. | -keylength <length> | The optional length of the RSA/DSA key pair to be generated, default is 2048 bits for RSA and 1024 bits for DSA. | -keyalgorithm <keyAlgID> | The optional key algorithm to use. | -signalgorithm <SignAlgId> | The optional signature algorithm to use. |
|
Expand |
---|
|
Generate an RSA key pair and store in a PKCS12 file: Code Block |
---|
pkcs12 example.p12 password |
|
...
Generate an EC key pair and store in a PKCS12 file: Code Block |
---|
pkcs12 example.p12 password - |
|
...
Add a certificate to a PKCS12 soft token
Expand |
---|
|
This is the syntax for "Add a certificate to a PKCS12 soft token": Code Block |
---|
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[- |
|
...
provider {<name>|<classname>}] -updatecert <cert-file> |
|
Expand |
---|
title | Options and arguments |
---|
|
These are the options and arguments for "Add a certificate to a PKCS12 soft token": Options and arguments | Description |
---|
<pkcs12-file> | The required path and file name of the P12 file to read from or write to. | <password> | The optional password for the PKCS12 soft token. | -friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. | -localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used. | -encryptalgorithm {aes128| aes192|aes256|des3} | The optional encryption-algorithm to use.Choose one of aes128 , aes192 , aes256 or des3 (default). | -iterations <amount> | The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file. | - |
|
...
provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. | -updatecert <cert-file> | The required name of the certificate file to add to the PKCS12 soft token. |
|
Expand |
---|
|
Add a certificate to a PKCS12 file: Code Block |
---|
pkcs12 example.p12 password -updatecert certificate.cer -friendlyname name |
|
Remove a key pair from a PKCS12 soft token
Expand |
---|
|
This is the syntax for "Remove a key pair from a PKCS12 soft token": Code Block |
---|
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount> |
|
...
]
[-provider {<name>|<classname>}] -remove |
|
Expand |
---|
title | Options and arguments |
---|
|
These are the options and arguments for "Remove a key pair from a PKCS12 soft token": Options and arguments | Description |
---|
<pkcs12-file> | The required path and file name of the P12 file to read from or write to. | <password> | The optional password for the PKCS12 soft token. | -friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. | -localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used. | -encryptalgorithm {aes128| aes192|aes256|des3} | The optional encryption-algorithm to use. Choose one of aes128 , aes192 , aes256 or des3 (default). | -iterations <amount> | The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file. | - |
|
...
...
{<name>|<classname>} | The optional name or classname of the JCE provider to use. | -remove | The required flag signalling that the designated key pair should be removed from the PKCS12 soft token. |
|
Expand |
---|
|
Remove a key pair from a PKCS12 file: Code Block |
---|
pkcs12 example.p12 password -remove -friendlyname name |
|
Export or view the contents of a PKCS12 soft token
Expand |
---|
|
This is the syntax for "Export or view the contents of a PKCS12 soft token": Code Block |
---|
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id> |
|
...
]
[-provider {<name>|<classname>}] [-all] [-out <bag-filename-prefix>] |
|
Expand |
---|
title | Options and arguments |
---|
|
These are the options and arguments for "Export or view the contents of a PKCS12 soft token": Options and arguments | Description |
---|
<pkcs12-file> | The required path and file name of the P12 file to read from or write to. | <password> | The optional password for the PKCS12 soft token. | -friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. | -localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used |
|
...
. | -provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. | -all | The optional flag signalling that everything in the stored certificate should be printed. | -out <bag-filename-prefix> | The optional flag signalling that everything in the stored PKCS12 soft token should be exported with the given prefix. |
|
Expand |
---|
|
Detail the contents of a PKCS12 file: Code Block |
---|
pkcs12 example.p12 password -all |
Extract the contents of a PKCS12 file: Code Block |
---|
pkcs12 example.p12 password -out example |
|
...
This article is valid for Certificate Manager 8.1 and later.
Related information
...