This article is valid for Certificate Manager 8.5 and later.
pkcs12 is a command-line program used to perform operations on PKCS #12 and PKCS #10 files.
The program is located in the <install_root>/tools directory relative to where Smart ID Certificate Manager (CM) is installed. The available set of commands with their supported options and arguments are detailed below the example section.
Generate a PKCS10 request
Syntax
This is the syntax for "Generate a PKCS10 request"
pkcs12 <pkcs12-file> <password> [-friendlyname <name>] [-localkeyid <id>]
[-provider {<name>|<classname>}]
-certrequest <subject-dn> [-signalgorithm <signAlgId>]
Options and arguments
These are the options and arguments for "Generate a PKCS10 request":
|
Options and arguments |
Description |
|---|---|
|
<pkcs12-file> |
The required path and file name of the P12 file to read from or write to. |
|
<password> |
The required password for the PKCS12 soft token. |
|
-certrequest <subject-dn> |
The required designated name of the subject in the PKCS10 Request. |
|
-friendlyname <name> |
The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the |
|
-localkeyid <id> |
The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the |
|
-signalgorithm <signAlgId> |
The optional signature algorithm to use, for example, SHA384withECDSA or SHA256withRSAandMGF1. The default algorithm is SHA256withDSA, ECDSA, -RSA. |
|
-provider {<name>|<classname>} |
The optional name or classname of the JCE provider to use. |
Examples
Generate a PKCS10 request using a PKCS12 file:
pkcs12 example.p12 password -certrequest "O=Nexus,CN=My Name" -friendlyname name
Add a key pair to a PKCS12 soft token
Syntax
This is the syntax for "Add a key pair to a PKCS12 soft token"
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-provider {<name>|<classname>}]
{-ec [-curve <ec-curve>] | {-dsa | -rsa} [-keylength <length>]}
[-keyalgorithm <keyAlgId>] [-signalgorithm <signAlgId>]
Options and arguments
These are the options and arguments for "Add a key pair to a PKCS12 soft token":
|
Options and arguments |
Description |
|---|---|
|
<pkcs12-file> |
The required path and file name of the P12 file to read from or write to. |
|
<password> |
The optional password for the PKCS12 soft token. |
|
-friendlyname <name> |
The optional friendly name for the new key pair stored in the PKCS12 soft token. |
|
-localkeyid <id> |
The optional local key id for the new key pair stored in the PKCS12 soft token. If left unset a random id is generated. |
|
-encryptalgorithm {aes128|
|
The optional encryption-algorithm to use. Choose one of |
|
-iterations <amount> |
The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file. |
|
-provider {<name>|<classname>} |
The optional name or classname of the JCE provider to use. |
|
-ec |
Generates a new EC (elliptic curve) key pair. |
|
-curve <ec-curve> |
The optional curve to use for the new EC (elliptic curve) key pair, default is secp256r1. |
|
-dsa |
Generates a new DSA key pair. |
|
-rsa |
Generates a new RSA key pair. |
|
-keylength <length> |
The optional length of the RSA/DSA key pair to be generated, default is 2048 bits for RSA and 1024 bits for DSA. |
|
-keyalgorithm <keyAlgID> |
The optional key algorithm to use. |
|
-signalgorithm <SignAlgId> |
The optional signature algorithm to use. |
Examples
Generate an RSA key pair and store in a PKCS12 file:
pkcs12 example.p12 password -rsa
Generate an EC key pair and store in a PKCS12 file:
pkcs12 example.p12 password -ec
Add a certificate to a PKCS12 soft token
Syntax
This is the syntax for "Add a certificate to a PKCS12 soft token":
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-provider {<name>|<classname>}] -updatecert <cert-file>
Options and arguments
These are the options and arguments for "Add a certificate to a PKCS12 soft token":
|
Options and arguments |
Description |
|---|---|
|
<pkcs12-file> |
The required path and file name of the P12 file to read from or write to. |
|
<password> |
The optional password for the PKCS12 soft token. |
|
-friendlyname <name> |
The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the |
|
-localkeyid <id> |
The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the |
|
-encryptalgorithm {aes128|
|
The optional encryption-algorithm to use.Choose one of |
|
-iterations <amount> |
The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file. |
|
-provider {<name>|<classname>} |
The optional name or classname of the JCE provider to use. |
|
-updatecert <cert-file> |
The required name of the certificate file to add to the PKCS12 soft token. |
Examples
Add a certificate to a PKCS12 file:
pkcs12 example.p12 password -updatecert certificate.cer -friendlyname name
Remove a key pair from a PKCS12 soft token
Syntax
This is the syntax for "Remove a key pair from a PKCS12 soft token":
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-encryptalgorithm {aes128|aes192|aes256|des3}] [-iterations <amount>]
[-provider {<name>|<classname>}] -remove
Options and arguments
These are the options and arguments for "Remove a key pair from a PKCS12 soft token":
|
Options and arguments |
Description |
|---|---|
|
<pkcs12-file> |
The required path and file name of the P12 file to read from or write to. |
|
<password> |
The optional password for the PKCS12 soft token. |
|
-friendlyname <name> |
The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the |
|
-localkeyid <id> |
The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the |
|
-encryptalgorithm {aes128|
|
The optional encryption-algorithm to use. Choose one of |
|
-iterations <amount> |
The number of hash iterations of the P12 password. Determines the brute force resistance of the P12 file. |
|
-provider {<name>|<classname>} |
The optional name or classname of the JCE provider to use. |
|
-remove |
The required flag signalling that the designated key pair should be removed from the PKCS12 soft token. |
Examples
Remove a key pair from a PKCS12 file:
pkcs12 example.p12 password -remove -friendlyname name
Export or view the contents of a PKCS12 soft token
Syntax
This is the syntax for "Export or view the contents of a PKCS12 soft token":
pkcs12 <pkcs12-file> [<password>] [-friendlyname <name>] [-localkeyid <id>]
[-provider {<name>|<classname>}] [-all] [-out <bag-filename-prefix>]
Options and arguments
These are the options and arguments for "Export or view the contents of a PKCS12 soft token":
|
Options and arguments |
Description |
|---|---|
|
<pkcs12-file> |
The required path and file name of the P12 file to read from or write to. |
|
<password> |
The optional password for the PKCS12 soft token. |
|
-friendlyname <name> |
The optional friendly name for the key pair stored in the PKCS12 soft token. If left unset, the |
|
-localkeyid <id> |
The optional local key id for the key pair stored in the PKCS12 soft token. If left unset, the |
|
-provider {<name>|<classname>} |
The optional name or classname of the JCE provider to use. |
|
-all |
The optional flag signalling that everything in the stored certificate should be printed. |
|
-out <bag-filename-prefix> |
The optional flag signalling that everything in the stored PKCS12 soft token should be exported with the given prefix. |
Examples
Detail the contents of a PKCS12 file:
pkcs12 example.p12 password -all
Extract the contents of a PKCS12 file:
pkcs12 example.p12 password -out example