Just because the PKCS12 is going to be YOUR cert (to sign), it requires this password . It can not be optional because when you are about to install this file in an email client, the email client needs to make sure it's yours; so the password is then asked. No password is requested for OTHER's certs, because those are used just to encrypt and for verification of other's signatures.
In other words, if I find YOUR pkcs12 file somewhere and I want to install it in my email client, to sign or forge your mails, and if you had made it with the -non possible- optional password OFF, I would be free to forge your signed mails. For the same reason the PKCS12 has to be produced by the person him/her self. You can not tell somebody else: "hey, this is my cert AND PRIVATE KEY, please produce my pkcs12". And for reasons like above it is not simple to have a reliable WebService which gives you: key pairs, cert, pkcs12, etc., because then your private and personal data would be FROM THE START in the hands of somebody else, unless the trust and reputation are built by the members, users, etc., , which might break after some critic stage, etc., (another topic) Greetings tushar ganguli wrote: > > Hi, > Shouldn't that be optional. Does it compulsorily encrypt all certificates > and keys with the export password? > > Regards, > Tushar. > -- View this message in context: http://www.nabble.com/Using-pkcs12-tp25234677p25234983.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
