You're right, the documentation is confusing (man page here*), but I think I've figured it out, after some testing:
-certfile adds all certificates in that file to the .p12 store (in addition to the input certificate).
-CAfile and -CApath are used to build the "standard CA store" (just as they do for openssl s_client), which is only used with the -chain option, which will add the entire certification chain for the input certificate to the .p12, assuming it can be found in that file and/or directory. Without the -chain option they do nothing.
* Also, most distros supply man pages for the openssl subcommands under the subcommand name, e.g. pkcs(1).
see
http://openssl.6102.n7.nabble.com/How-to-include-intermediate-in-pkcs12-td49603.html
A lotofthingsonthe Internet are wrong. The OpenSSL man page doesnotsay multipleoccurrences workandI’m pretty sure it never did, nor did the code.IngeneralOpenSSL commandlines don’t handle repeated options; the few exceptions are noted.pkcs12 -caname (NOT–cafile)ISoneofthe few that can be repeated,andpossiblysome thingsonthe Internet got that confused. However, the commandlines (at leastusually?) don’t *diagnose* repeated (andoverridden) options.pkcs12 –export gets certsfromuptothree places:- the input file (-inifspecifiedelsestdin redirectedorpiped)- -certfileifspecified (once,asyou saw)- the truststoreif–CAfileand/or–CApath specifiedIFNEEDEDInother words, any certininfileorcertfileisalwaysinthe output, neededornot.Ifthatsetdoesnotprovide a complete chain, pkcs12 willtrytocomplete itusingthe truststoreifspecified, but will produce output evenifit remains incomplete.Likeother commandlines,andmany programsusingthe library, the truststorecan be asinglefilewith–CAfile (NOT–cafile)ora directoryofhashnamedlinksorfileswith–CApathorboth.Ifthe cert you are puttinginpkcs12isunder a CA that you trust other peerstouseandthus you haveinyour truststore, easiesttouse itfromthere. Similarlyifyour certisunder an intermediate (orseveral) that you haveinyour truststoretoallow peerstouse evenifthe peers don’t send (asthey should), easiesttousefromthere.Otherwise IMO it’s easiesttojust putininfileor–certfile (ora combination),although theoptionoftemporarily creatingormodifying a truststore works. Whethertodoyour trustorewithCAfileorCApathorbothisa more general questionanddepends partlyonwhether you use somebody’s package.Forexample the curl website supplies the Mozilla truststoreinCAfile format;whenI wanttouse that I don’t bother convertingtoCApath format.From: [hidden email] [[hidden email]]OnBehalfOfEdward Ned Harvey (openssl)Sent: Tuesday, April22,201415:31To: [hidden email]Subject: *** Spam *** Howtoinclude intermediateinpkcs12?A bunchofthingsonthe internet saytodo"-cafile intermediate.pem -cafile root.pem"or"-certfile intermediate.pem -certfile root.pem"andthey explicitly say that calling these command-line options more than onceisokandwill resultinboth the certs being includedinthe final pkcs12... But I have found thistobe untrue.I have found, thatifI concatenate intermediate & rootintoasingleglom file,andthenI specify -certfile onceforthe glom,thenmy pfx file will include the complete chain. ButifI use -certfile twice, Igetno intermediateinmy pfx.AndI just wasted more time than I caretodescribe, figuring this out.So...Whileconcatenation/glomisa viable workaround, I'd like to know, what's supposed to work? And was it a new feature introduced after a certain rev or something? I have OpenSSL 0.9.8y command-line on Mac OSX, and OpenSSL 1.0.1e command-line on cygwin. I believe I've seen the same behavior in both.
8117
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
