mirror of
https://github.com/openssl/openssl.git
synced 2024-12-09 05:51:54 +08:00
186bb90705
Signed-off-by: Rich Salz <rsalz@akamai.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
76 lines
2.7 KiB
Plaintext
76 lines
2.7 KiB
Plaintext
=pod
|
|
|
|
=head1 NAME
|
|
|
|
PKCS12_create - create a PKCS#12 structure
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
#include <openssl/pkcs12.h>
|
|
|
|
PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca,
|
|
int nid_key, int nid_cert, int iter, int mac_iter, int keytype);
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
PKCS12_create() creates a PKCS#12 structure.
|
|
|
|
B<pass> is the passphrase to use. B<name> is the B<friendlyName> to use for
|
|
the supplied certificate and key. B<pkey> is the private key to include in
|
|
the structure and B<cert> its corresponding certificates. B<ca>, if not B<NULL>
|
|
is an optional set of certificates to also include in the structure.
|
|
|
|
B<nid_key> and B<nid_cert> are the encryption algorithms that should be used
|
|
for the key and certificate respectively. B<iter> is the encryption algorithm
|
|
iteration count to use and B<mac_iter> is the MAC iteration count to use.
|
|
B<keytype> is the type of key.
|
|
|
|
=head1 NOTES
|
|
|
|
The parameters B<nid_key>, B<nid_cert>, B<iter>, B<mac_iter> and B<keytype>
|
|
can all be set to zero and sensible defaults will be used.
|
|
|
|
These defaults are: 40 bit RC2 encryption for certificates, triple DES
|
|
encryption for private keys, a key iteration count of PKCS12_DEFAULT_ITER
|
|
(currently 2048) and a MAC iteration count of 1.
|
|
|
|
The default MAC iteration count is 1 in order to retain compatibility with
|
|
old software which did not interpret MAC iteration counts. If such compatibility
|
|
is not required then B<mac_iter> should be set to PKCS12_DEFAULT_ITER.
|
|
|
|
B<keytype> adds a flag to the store private key. This is a non standard extension
|
|
that is only currently interpreted by MSIE. If set to zero the flag is omitted,
|
|
if set to B<KEY_SIG> the key can be used for signing only, if set to B<KEY_EX>
|
|
it can be used for signing and encryption. This option was useful for old
|
|
export grade software which could use signing only keys of arbitrary size but
|
|
had restrictions on the permissible sizes of keys which could be used for
|
|
encryption.
|
|
|
|
=head1 NEW FUNCTIONALITY IN OPENSSL 0.9.8
|
|
|
|
Some additional functionality was added to PKCS12_create() in OpenSSL
|
|
0.9.8. These extensions are detailed below.
|
|
|
|
If a certificate contains an B<alias> or B<keyid> then this will be
|
|
used for the corresponding B<friendlyName> or B<localKeyID> in the
|
|
PKCS12 structure.
|
|
|
|
Either B<pkey>, B<cert> or both can be B<NULL> to indicate that no key or
|
|
certificate is required. In previous versions both had to be present or
|
|
a fatal error is returned.
|
|
|
|
B<nid_key> or B<nid_cert> can be set to -1 indicating that no encryption
|
|
should be used.
|
|
|
|
B<mac_iter> can be set to -1 and the MAC will then be omitted entirely.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<d2i_PKCS12(3)|d2i_PKCS12(3)>
|
|
|
|
=head1 HISTORY
|
|
|
|
PKCS12_create was added in OpenSSL 0.9.3
|
|
|
|
=cut
|