On 2/13/2015 12:23 PM, Dr. Stephen Henson wrote:
On Fri, Feb 13, 2015, Sean Leonard wrote:
Using the openssl pkcs12 -export command, how can one specify a
different friendlyName attribute for the private key?
For example, consider the command:
openssl pkcs12 -export -out pkcs12.p12 -name "sean key 2015" -inkey
key.txt -in user.crt -name "sean user cert 2015" -certfile
othercerts.txt
I'm curious as to why you want to do this.
If no friendlyname is specified on the command line an "alias" associated with
the certificate is used instead. You can associate an alias with a certificate
like this:
openssl x509 -in cert.pem -setalias "some name" -out newcert.pem
Unfortunately the -name option specified on the command line will also be
used even if there is an alias present. You can change this by looking in
crypto/pkcs12/p12_crt.c in the function PKCS12_create. Comment out the
following lines:
if (name && !PKCS12_add_friendlyname(bag, name, -1))
goto err;
Then you can specify the certificate friendlyname using the alias and the
private key friendly name using the command line -name option.
I attempted to do this today (comment out those two lines) with OpenSSL
1.0.2. It was around line 127 in p12_crt.c in the 1.0.2 distribution.
Using the -name option managed to set the friendly name of the private
key, not the certificate. Unfortunately, using {x509 -setalias} followed
by inputting it to {pkcs12 -in aliasedcert.pem} did not work: the
friendly name attribute was not set on the certificate. Only the
localKeyID property was set. I verified the pkcs12 output with {pkcs12
-in pkcs12.p12 -info}.
When I changed the code to:
if (!PKCS12_add_friendlyname(bag, "HARDCODED FRIENDLYNAME", -1))
goto err;
the friendly name of the certificate was set properly to the hardcoded
value, and the private key friendly name was set to the -name option
(presumably the name local variable in the same function).
Any ideas on why the alias name is not getting used?
I looked into PKCS12_add_cert (also in p12_crt.c) and did not see
anything particularly amiss. That function calls X509_alias_get0 ->
PKCS12_add_friendlyname. As long as the certificate structure has the
"aux" appendage, it should work. I ran {x509 -in aliasedcert.pem -alias}
and the proper alias was output. Therefore, I am thinking that something
is going on with certificate processing prior to the PKCS12_create call,
which strips the aux information.
Kind regards,
Sean
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
