PKCS#12 Archives

The TNSR CLI can generate PKCS#12 archive files which contain a certificate, its private key, and optionally the CA which signed the certificate.

These password-protected archives make importing the certificates to a client system easier in certain cases, such as for use with RESTCONF or the TNSR GUI (TNSR GUI Service with Client Certificate Authentication). Some software only supports importing certificates from PKCS#12 archives rather than separate PEM files for each component.

Generating a PKCS#12 Archive

PKCS#12 archives are generated by the pki pkcs12 command in the TNSR CLI. When TNSR generates a PKCS#12 archive file it is stored in /etc/pki/tls/tnsr/certs/ and a copy is placed in the home directory of the current CLI user.

The general form of the pki pkcs12 <certname> generate command is as follows:

tnsr# pki pkcs12 <certname> generate export-password <password> [ca-name <caname>]
       [key-pbe-algorithm <pbe-algo>] [certificate-pbe-algorithm <pbe-algo>]
       [mac-algorithm <mac-algo>] [verbose]

Warning

The optional parameters for the command must be given in the order listed!

<certname>:

The name of the existing certificate entry.

export-password <password>:

The password used to protect the contents of the archive. Clients will need this password to import or read the contents.

This must be at least 8 characters in length but no more than 64.

ca-name <caname>:

The name of the existing certificate authority entry which signed the certificate. This is optional. If omitted, the PKCS#12 archive will only contain the client certificate and its private key, not the CA.

key-pbe-algorithm <pbe-algo>:

The password-based encryption algorithm with which to encrypt the private key. This is optional and defaults to AES-256-CBC.

certificate-pbe-algorithm <pbe-algo>:

The password-based encryption algorithm with which to encrypt the certificate. This is optional and defaults to AES-256-CBC.

mac-algorithm <mac-algo>:

The message authentication code (hash) used for integrity protection. This is optional and defaults to sha256.

verbose:

An optional parameter that, when present, in addition to writing the archive file copies the command will print a BASE-64 encoded string containing the PKCS#12 archive data.

After entering the command, the entry is stored in the TNSR filesystem. To generate a different PKCS#12 archive, for example to use different encryption, first delete the existing entry (Deleting a PKCS#12 Archive).

Algorithm Choices

The PKCS#12 archive export command supports multiple algorithms with which to encrypt and hash the contents of the archive. Support for algorithms varies by operating system, so certain uses may require different encryption or hashing options.

To see a list of available algorithms for each selection, use ? to see the options:

tnsr# pki pkcs12 mycert generate export-password abc12345 key-pbe-algorithm ?
  AES-256-CBC           PBE with 256 bit AES-CBC
  PBE-SHA1-3DES         PBE with SHA1 and 3DES
tnsr# pki pkcs12 mycert generate export-password abc12345 certificate-pbe-algorithm ?
  AES-256-CBC           PBE with 256 bit AES-CBC
  PBE-SHA1-3DES         PBE with SHA1 and 3DES
tnsr# pki pkcs12 mycert generate export-password abc12345 mac-algorithm ?
  sha1                  SHA1
  sha256                SHA256

Linux/Windows/FreeBSD/Other

To make a PKCS#12 which can be used by a Linux, Windows, FreeBSD, or other modern clients, use a high level of encryption (AES-256 and SHA256):

Example (all on one line):

tnsr# pki pkcs12 mycert generate export-password abc12345 ca-name tnsrca
 key-pbe-algorithm AES-256-CBC certificate-pbe-algorithm AES-256-CBC mac-algorithm sha256

macOS

macOS clients do not currently support high level encryption on PKCS#12 archive files, so an archive for those clients needs different, weaker, algorithms (3DES and SHA1):

Example (all on one line):

tnsr# pki pkcs12 mycert generate export-password abc12345 ca-name tnsrca
 key-pbe-algorithm PBE-SHA1-3DES certificate-pbe-algorithm PBE-SHA1-3DES mac-algorithm sha1

Listing PKCS#12 Archives

To view a list of PKCS#12 archives present on TNSR:

tnsr# pki pkcs12 list
    mycert

Copying PKCS#12 Archives

The TNSR CLI user likely does not have sufficient access to read the files from /etc/pki/tls/tnsr/certs/ directly, so to make a fresh copy of a PKCS#12 archive from /etc/pki/tls/tnsr/certs/ to the home directory of the CLI user, use the get operation:

tnsr# pki pkcs12 <certname> get

Tip

This also enables a different TNSR CLI user to obtain a previously generated PKCS#12 archive.

This command supports a verbose parameter which works identically to the same parameter in the generate operation.

Deleting a PKCS#12 Archive

To remove a PKCS#12 archive entry, for example to replace it with a new archive with different encryption options, use the delete operation:

tnsr# pki pkcs12 <certname> delete

Note

This removes the PKCS#12 archive file from /etc/pki/tls/tnsr/certs/, it does not remove the copies of the file placed in the home directory of the CLI user which generated the archives.