Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info
This article is valid for Certificate Manager 8.5 and later.
Excerpt

pkcs12 is a command-line program used to perform operations on PKCS #12 and PKCS #10 files. 

The program is located in the <install_root>/tools directory relative to where Smart ID Certificate Manager (CM) is installed. The available set of commands with their supported options and arguments are detailed below the example section.

Generate a PKCS10 request

Expand
titleSyntax

This is the syntax for "Generate a PKCS10 request"

Code Block
pkcs12 <pkcs12-file> <password> [-friendlyname <name>] [-localkeyid <id>]
[-provider {<name>|<classname>}]
-certrequest <subject-dn> [-signalgorithm <signAlgId>]



Expand
titleOptions and arguments

These are the options and arguments for "Generate a PKCS10 request":

Options and argumentsDescription
<pkcs12-file>The required path and file name of the P12 file to read from or write to.
<password>The required password for the PKCS12 soft token.
-certrequest <subject-dn>The required designated name of the subject in the PKCS10 Request.
-friendlyname <name>The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used.
-localkeyid <id>The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used.
-signalgorithm <signAlgId> The optional signature algorithm to use, for example, SHA384withECDSA or SHA256withRSAandMGF1. The default algorithm is SHA256withDSA,  ECDSA, -RSA.
-provider {<name>|<classname>}The optional name or classname of the JCE provider to use.



Expand
titleExamples

Generate a PKCS10 request using a PKCS12 file:

Code Block
pkcs12 example.p12 password -certrequest "O=Nexus,CN=My Name" -friendlyname name


Add a key pair to a PKCS12 soft token


Expand
titleSyntax

This is the syntax for "Add a key pair to a PKCS12 soft token"

Code Block
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-provider {<name>|<classname>}]
{-ec [-curve <ec-curve>] | {-dsa | -rsa} [-keylength <length>]}
[-keyalgorithm <keyAlgId>] [-signalgorithm <signAlgId>]



Expand
titleOptions and arguments

These are the options and arguments for "Add a key pair to a PKCS12 soft token":

Options and argumentsDescription
<pkcs12-file>The required path and file name of the P12 file to read from or write to.
<password>The optional password for the PKCS12 soft token.
-friendlyname <name>The optional friendly name for the new key pair stored in the PKCS12 soft token.
-localkeyid <id>The optional local key id for the new key pair stored in the PKCS12 soft token. If left unset a random id is generated.
-encryptalgorithm {aes128|
aes192|aes256|des3}
The optional encryption-algorithm to use. Choose one of aes128, aes192, aes256 or des3 (default).
-iterations <amount>The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-provider {<name>|<classname>}The optional name or classname of the JCE provider to use.
-ecGenerates a new EC (elliptic curve) key pair.
-curve <ec-curve>The optional curve to use for the new EC (elliptic curve) key pair, default is secp256r1.
-dsaGenerates a new DSA key pair.
-rsaGenerates a new RSA key pair.
-keylength <length>

The optional length of the RSA/DSA key pair to be generated, default is 2048 bits for RSA and 1024 bits for DSA.

-keyalgorithm <keyAlgID>The optional key algorithm to use.
-signalgorithm <SignAlgId>The optional signature algorithm to use.



Expand
titleExamples

Generate an RSA key pair and store in a PKCS12 file:

Code Block
pkcs12 example.p12 password -rsa

Generate an EC key pair and store in a PKCS12 file:

Code Block
pkcs12 example.p12 password -ec


Add a certificate to a PKCS12 soft token


Expand
titleSyntax

This is the syntax for "Add a certificate to a PKCS12 soft token":

Code Block
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-provider {<name>|<classname>}] -updatecert <cert-file>



Expand
titleOptions and arguments

These are the options and arguments for "Add a certificate to a PKCS12 soft token":

Options and argumentsDescription
<pkcs12-file>The required path and file name of the P12 file to read from or write to.
<password>The optional password for the PKCS12 soft token.
-friendlyname <name>The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used.
-localkeyid <id>The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used.
-encryptalgorithm {aes128|
aes192|aes256|des3}
The optional encryption-algorithm to use.Choose one of aes128, aes192, aes256 or des3 (default).
-iterations <amount>The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-provider {<name>|<classname>}The optional name or classname of the JCE provider to use.
-updatecert <cert-file>The required name of the certificate file to add to the PKCS12 soft token.



Expand
titleExamples

Add a certificate to a PKCS12 file:

Code Block
pkcs12 example.p12 password -updatecert certificate.cer -friendlyname name


Remove a key pair from a PKCS12 soft token


Expand
titleSyntax

This is the syntax for "Remove a key pair from a PKCS12 soft token":

Code Block
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-provider {<name>|<classname>}] -remove



Expand
titleOptions and arguments

These are the options and arguments for "Remove a key pair from a PKCS12 soft token":

Options and argumentsDescription
<pkcs12-file>The required path and file name of the P12 file to read from or write to.
<password>The optional password for the PKCS12 soft token.
-friendlyname <name>The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used.
-localkeyid <id>The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used.
-encryptalgorithm {aes128|
aes192|aes256|des3}
The optional encryption-algorithm to use. Choose one of aes128, aes192, aes256 or des3 (default).
-iterations <amount>The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-provider {<name>|<classname>}The optional name or classname of the JCE provider to use.
-removeThe required flag signalling that the designated key pair should be removed from the PKCS12 soft token.



Expand
titleExamples

Remove a key pair from a PKCS12 file:

Code Block
pkcs12 example.p12 password -remove -friendlyname name


Export or view the contents of a PKCS12 soft token


Expand
titleSyntax

This is the syntax for "Export or view the contents of a PKCS12 soft token":

Code Block
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-provider {<name>|<classname>}] [-all] [-out <bag-filename-prefix>]



Expand
titleOptions and arguments

These are the options and arguments for "Export or view the contents of a PKCS12 soft token":

Options and argumentsDescription
<pkcs12-file>The required path and file name of the P12 file to read from or write to.
<password>The optional password for the PKCS12 soft token.
-friendlyname <name>The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used.
-localkeyid <id>The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used.
-provider {<name>|<classname>}The optional name or classname of the JCE provider to use.
-allThe optional flag signalling that everything in the stored certificate should be printed.
-out <bag-filename-prefix>The optional flag signalling that everything in the stored PKCS12 soft token should be exported with the given prefix.



Expand
titleExamples

Detail the contents of a PKCS12 file:

Code Block
pkcs12 example.p12 password -all

Extract the contents of a PKCS12 file:

Code Block
pkcs12 example.p12 password -out example

...

This article is valid for Certificate Manager 8.5 and later.

Related information

...