Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

pkcs12 is a command-line program used to perform operations on PKCS #12 and PKCS #10 files. The program is located in the <install_root>/tools directory relative to where Smart ID Certificate Manager (CM) is installed. The available set of commands with their supported options and arguments are detailed below the example section.

Generate a PKCS10 request


 Syntax

This is the syntax for "Generate a PKCS10 request"

pkcs12 <pkcs12-file> <password> [-friendlyname <name>] [-localkeyid <id>]
[-provider {<name>|<classname>}]
-certrequest <subject-dn> [-signalgorithm <signAlgId>]
 Options and arguments

These are the options and arguments for "Generate a PKCS10 request":

Options and argumentsDescription
<pkcs12-file>The required path and file name of the P12 file to read from or write to.
<password>The required password for the PKCS12 soft token.
-certrequest <subject-dn>The required designated name of the subject in the PKCS10 Request.
-friendlyname <name>The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used.
-localkeyid <id>The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used.
-signalgorithm <signAlgId> The optional signature algorithm to use, for example, SHA384withECDSA or SHA256withRSAandMGF1. The default algorithm is SHA256withDSA,  ECDSA, -RSA.
-provider {<name>|<classname>}The optional name or classname of the JCE provider to use.
 Examples

Generate a PKCS10 request using a PKCS12 file:

pkcs12 example.p12 password -certrequest "O=Nexus,CN=My Name" -friendlyname name

Add a key pair to a PKCS12 soft token


 Syntax

This is the syntax for "Add a key pair to a PKCS12 soft token"

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-provider {<name>|<classname>}]
{-ec [-curve <ec-curve>] | {-dsa | -rsa} [-keylength <length>]}
[-keyalgorithm <keyAlgId>] [-signalgorithm <signAlgId>]
 Options and arguments

These are the options and arguments for "Add a key pair to a PKCS12 soft token":

Options and argumentsDescription
<pkcs12-file>The required path and file name of the P12 file to read from or write to.
<password>The optional password for the PKCS12 soft token.
-friendlyname <name>The optional friendly name for the new key pair stored in the PKCS12 soft token.
-localkeyid <id>The optional local key id for the new key pair stored in the PKCS12 soft token. If left unset a random id is generated.
-encryptalgorithm {aes128|
aes192|aes256|des3}		The optional encryption-algorithm to use. Choose one of aes128, aes192, aes256 or des3 (default).
-iterations <amount>The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-provider {<name>|<classname>}The optional name or classname of the JCE provider to use.
-ecGenerates a new EC (elliptic curve) key pair.
-curve <ec-curve>The optional curve to use for the new EC (elliptic curve) key pair, default is secp256r1.
-dsaGenerates a new DSA key pair.
-rsaGenerates a new RSA key pair.
-keylength <length>

The optional length of the RSA/DSA key pair to be generated, default is 2048 bits for RSA and 1024 bits for DSA.

-keyalgorithm <keyAlgID>The optional key algorithm to use.
-signalgorithm <SignAlgId>The optional signature algorithm to use.
 Examples

Generate an RSA key pair and store in a PKCS12 file:

pkcs12 example.p12 password -rsa

Generate an EC key pair and store in a PKCS12 file:

pkcs12 example.p12 password -ec

Add a certificate to a PKCS12 soft token


 Syntax

This is the syntax for "Add a certificate to a PKCS12 soft token":

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-provider {<name>|<classname>}] -updatecert <cert-file>
 Options and arguments

These are the options and arguments for "Add a certificate to a PKCS12 soft token":

Options and argumentsDescription
<pkcs12-file>The required path and file name of the P12 file to read from or write to.
<password>The optional password for the PKCS12 soft token.
-friendlyname <name>The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used.
-localkeyid <id>The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used.
-encryptalgorithm {aes128|
aes192|aes256|des3}		The optional encryption-algorithm to use.Choose one of aes128, aes192, aes256 or des3 (default).
-iterations <amount>The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-provider {<name>|<classname>}The optional name or classname of the JCE provider to use.
-updatecert <cert-file>The required name of the certificate file to add to the PKCS12 soft token.
 Examples

Add a certificate to a PKCS12 file:

pkcs12 example.p12 password -updatecert certificate.cer -friendlyname name

Remove a key pair from a PKCS12 soft token


 Syntax

This is the syntax for "Remove a key pair from a PKCS12 soft token":

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-provider {<name>|<classname>}] -remove
 Options and arguments

These are the options and arguments for "Remove a key pair from a PKCS12 soft token":

Options and argumentsDescription
<pkcs12-file>The required path and file name of the P12 file to read from or write to.
<password>The optional password for the PKCS12 soft token.
-friendlyname <name>The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used.
-localkeyid <id>The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used.
-encryptalgorithm {aes128|
aes192|aes256|des3}		The optional encryption-algorithm to use. Choose one of aes128, aes192, aes256 or des3 (default).
-iterations <amount>The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file.
-provider {<name>|<classname>}The optional name or classname of the JCE provider to use.
-removeThe required flag signalling that the designated key pair should be removed from the PKCS12 soft token.
 Examples

Remove a key pair from a PKCS12 file:

pkcs12 example.p12 password -remove -friendlyname name

Export or view the contents of a PKCS12 soft token


 Syntax

This is the syntax for "Export or view the contents of a PKCS12 soft token":

pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-provider {<name>|<classname>}] [-all] [-out <bag-filename-prefix>]
 Options and arguments

These are the options and arguments for "Export or view the contents of a PKCS12 soft token":

Options and argumentsDescription
<pkcs12-file>The required path and file name of the P12 file to read from or write to.
<password>The optional password for the PKCS12 soft token.
-friendlyname <name>The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the localkeyid flag must be used.
-localkeyid <id>The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the friendlyname flag must be used.
-provider {<name>|<classname>}The optional name or classname of the JCE provider to use.
-allThe optional flag signalling that everything in the stored certificate should be printed.
-out <bag-filename-prefix>The optional flag signalling that everything in the stored PKCS12 soft token should be exported with the given prefix.
 Examples

Detail the contents of a PKCS12 file:

pkcs12 example.p12 password -all

Extract the contents of a PKCS12 file:

pkcs12 example.p12 password -out example

This article is valid for Certificate Manager 8.5 and later.

Related information

  • No labels

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions