- Created by Karolin Hemmingsson on Jan 29, 2020
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
Version 1 Next »
pkcs12
is a command-line program used to perform operations on PKCS #12 and PKCS #10 files. The program is located in the <install_root>/tools directory relative to where Nexus Certificate Manager (CM) is installed. The available set of commands with their supported options and arguments are detailed below the example section.
Generate a PKCS10 request
This is the syntax for "Generate a PKCS10 request"
pkcs12 <pkcs12-file> <password> [-friendlyname <name>] [-localkeyid <id>] [-bc] [-provider {<name>|<classname>}] -certrequest <subject-dn> [-signalgorithm <signAlgId>]
These are the options and arguments for "Generate a PKCS10 request":
Options and arguments | Description |
---|---|
<pkcs12-file> | The required path and file name of the P12 file to read from or write to. |
<password> | The required password for the PKCS12 soft token. |
-certrequest <subject-dn> | The required designated name of the subject in the PKCS10 Request. |
-friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. |
-localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used. |
-signalgorithm <signAlgId> | The optional signature algorithm to use, for example, SHA384withECDSA or SHA256withRSAandMGF1. The default algorithm is SHA256withDSA, ECDSA, -RSA. |
-bc | The optional flag signalling usage of Bouncy Castle as the JCE provider. |
-provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. |
Generate a PKCS10 request using a PKCS12 file:
pkcs12 example.p12 password -bc -certrequest "O=Nexus,CN=My Name" -friendlyname name
Add a key pair to a PKCS12 soft token
This is the syntax for "Add a key pair to a PKCS12 soft token"
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>] [-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>] [-bc] [-provider {<name>|<classname>}] {-ec [-curve <ec-curve>] | {-dsa | -rsa} [-keylength <length>]} [-keyalgorithm <keyAlgId>] [-signalgorithm <signAlgId>]
These are the options and arguments for "Add a key pair to a PKCS12 soft token":
Options and arguments | Description |
---|---|
<pkcs12-file> | The required path and file name of the P12 file to read from or write to. |
<password> | The optional password for the PKCS12 soft token. |
-friendlyname <name> | The optional friendly name for the new key pair stored in the PKCS12 soft token. |
-localkeyid <id> | The optional local key id for the new key pair stored in the PKCS12 soft token. If left unset a random id is generated. |
-encryptalgorithm {aes128| aes192|aes256|des3} | The optional encryption-algorithm to use. Choose one of aes128 , aes192 , aes256 or des3 (default). |
-iterations <amount> | The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file. |
-bc | The optional flag signalling usage of Bouncy Castle as the JCE provider. |
-provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. |
-ec | Generates a new EC (elliptic curve) key pair. |
-curve <ec-curve> | The optional curve to use for the new EC (elliptic curve) key pair, default is secp256r1. |
-dsa | Generates a new DSA key pair. |
-rsa | Generates a new RSA key pair. |
-keylength <length> | The optional length of the RSA/RSA key pair to be generated, default is 1024 bits. |
-keyalgorithm <keyAlgID> | The optional key algorithm to use. |
-signalgorithm <SignAlgId> | The optional signature algorithm to use. |
Generate an RSA key pair and store in a PKCS12 file:
pkcs12 example.p12 password -bc -rsa
Generate an EC key pair and store in a PKCS12 file:
pkcs12 example.p12 password -bc -ec
Add a certificate to a PKCS12 soft token
This is the syntax for "Add a certificate to a PKCS12 soft token":
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>] [-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>] [-bc] [-provider {<name>|<classname>}] -updatecert <cert-file>
These are the options and arguments for "Add a certificate to a PKCS12 soft token":
Options and arguments | Description |
---|---|
<pkcs12-file> | The required path and file name of the P12 file to read from or write to. |
<password> | The optional password for the PKCS12 soft token. |
-friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. |
-localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used. |
-encryptalgorithm {aes128| aes192|aes256|des3} | The optional encryption-algorithm to use.Choose one of aes128 , aes192 , aes256 or des3 (default). |
-iterations <amount> | The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file. |
-bc | The optional flag signalling usage of Bouncy Castle as the JCE provider. |
-provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. |
-updatecert <cert-file> | The required name of the certificate file to add to the PKCS12 soft token. |
Add a certificate to a PKCS12 file:
pkcs12 example.p12 password -updatecert certificate.cer -friendlyname name
Remove a key pair from a PKCS12 soft token
This is the syntax for "Remove a key pair from a PKCS12 soft token":
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>] [-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>] [-bc] [-provider {<name>|<classname>}] -remove
These are the options and arguments for "Remove a key pair from a PKCS12 soft token":
Options and arguments | Description |
---|---|
<pkcs12-file> | The required path and file name of the P12 file to read from or write to. |
<password> | The optional password for the PKCS12 soft token. |
-friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. |
-localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used. |
-encryptalgorithm {aes128| aes192|aes256|des3} | The optional encryption-algorithm to use. Choose one of aes128 , aes192 , aes256 or des3 (default). |
-iterations <amount> | The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file. |
-bc | The optional flag signalling usage of Bouncy Castle as the JCE provider. |
-provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. |
-remove | The required flag signalling that the designated key pair should be removed from the PKCS12 soft token. |
Remove a key pair from a PKCS12 file:
pkcs12 example.p12 password -remove -friendlyname name
Export or view the contents of a PKCS12 soft token
This is the syntax for "Export or view the contents of a PKCS12 soft token":
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>] [-bc] [-provider {<name>|<classname>}] [-all] [-out <bag-filename-prefix>]
These are the options and arguments for "Export or view the contents of a PKCS12 soft token":
Options and arguments | Description |
---|---|
<pkcs12-file> | The required path and file name of the P12 file to read from or write to. |
<password> | The optional password for the PKCS12 soft token. |
-friendlyname <name> | The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used. |
-localkeyid <id> | The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used. |
-bc | The optional flag signalling usage of Bouncy Castle as the JCE provider. |
-provider {<name>|<classname>} | The optional name or classname of the JCE provider to use. |
-all | The optional flag signalling that everything in the stored certificate should be printed. |
-out <bag-filename-prefix> | The optional flag signalling that everything in the stored PKCS12 soft token should be exported with the given prefix. |
Detail the contents of a PKCS12 file:
pkcs12 example.p12 password -all
Extract the contents of a PKCS12 file:
pkcs12 example.p12 password -out example
Related information
- No labels