PKCS#12 Archives¶
The TNSR CLI can generate PKCS#12 archive files which contain a certificate, its private key, and optionally the CA which signed the certificate.
These password-protected archives make importing the certificates to a client system easier in certain cases, such as for use with RESTCONF or the TNSR GUI (TNSR GUI Service with Client Certificate Authentication). Some software only supports importing certificates from PKCS#12 archives rather than separate PEM files for each component.
Generating a PKCS#12 Archive¶
PKCS#12 archives are generated by the pki pkcs12
command in the TNSR CLI.
When TNSR generates a PKCS#12 archive file it is stored in
/etc/pki/tls/tnsr/certs/
and a copy is placed in the home directory of the
current CLI user.
The general form of the pki pkcs12 <certname> generate
command is as
follows:
tnsr# pki pkcs12 <certname> generate export-password <password> [ca-name <caname>]
[key-pbe-algorithm <pbe-algo>] [certificate-pbe-algorithm <pbe-algo>]
[mac-algorithm <mac-algo>] [verbose]
Warning
The optional parameters for the command must be given in the order listed!
- <certname>:
The name of the existing certificate entry.
- export-password <password>:
The password used to protect the contents of the archive. Clients will need this password to import or read the contents.
This must be at least
8
characters in length but no more than64
.- ca-name <caname>:
The name of the existing certificate authority entry which signed the certificate. This is optional. If omitted, the PKCS#12 archive will only contain the client certificate and its private key, not the CA.
- key-pbe-algorithm <pbe-algo>:
The password-based encryption algorithm with which to encrypt the private key. This is optional and defaults to
AES-256-CBC
.- certificate-pbe-algorithm <pbe-algo>:
The password-based encryption algorithm with which to encrypt the certificate. This is optional and defaults to
AES-256-CBC
.- mac-algorithm <mac-algo>:
The message authentication code (hash) used for integrity protection. This is optional and defaults to
sha256
.- verbose:
An optional parameter that, when present, in addition to writing the archive file copies the command will print a BASE-64 encoded string containing the PKCS#12 archive data.
After entering the command, the entry is stored in the TNSR filesystem. To generate a different PKCS#12 archive, for example to use different encryption, first delete the existing entry (Deleting a PKCS#12 Archive).
Algorithm Choices¶
The PKCS#12 archive export command supports multiple algorithms with which to encrypt and hash the contents of the archive. Support for algorithms varies by operating system, so certain uses may require different encryption or hashing options.
To see a list of available algorithms for each selection, use ?
to see the
options:
tnsr# pki pkcs12 mycert generate export-password abc12345 key-pbe-algorithm ?
AES-256-CBC PBE with 256 bit AES-CBC
PBE-SHA1-3DES PBE with SHA1 and 3DES
tnsr# pki pkcs12 mycert generate export-password abc12345 certificate-pbe-algorithm ?
AES-256-CBC PBE with 256 bit AES-CBC
PBE-SHA1-3DES PBE with SHA1 and 3DES
tnsr# pki pkcs12 mycert generate export-password abc12345 mac-algorithm ?
sha1 SHA1
sha256 SHA256
Linux/Windows/FreeBSD/Other¶
To make a PKCS#12 which can be used by a Linux, Windows, FreeBSD, or other modern clients, use a high level of encryption (AES-256 and SHA256):
Example (all on one line):
tnsr# pki pkcs12 mycert generate export-password abc12345 ca-name tnsrca
key-pbe-algorithm AES-256-CBC certificate-pbe-algorithm AES-256-CBC mac-algorithm sha256
macOS¶
macOS clients do not currently support high level encryption on PKCS#12 archive files, so an archive for those clients needs different, weaker, algorithms (3DES and SHA1):
Example (all on one line):
tnsr# pki pkcs12 mycert generate export-password abc12345 ca-name tnsrca
key-pbe-algorithm PBE-SHA1-3DES certificate-pbe-algorithm PBE-SHA1-3DES mac-algorithm sha1
Listing PKCS#12 Archives¶
To view a list of PKCS#12 archives present on TNSR:
tnsr# pki pkcs12 list
mycert
Copying PKCS#12 Archives¶
The TNSR CLI user likely does not have sufficient access to read the files from
/etc/pki/tls/tnsr/certs/
directly, so to make a fresh copy of a PKCS#12
archive from /etc/pki/tls/tnsr/certs/
to the home directory of the CLI user,
use the get
operation:
tnsr# pki pkcs12 <certname> get
Tip
This also enables a different TNSR CLI user to obtain a previously generated PKCS#12 archive.
This command supports a verbose
parameter which works identically to the
same parameter in the generate
operation.
Deleting a PKCS#12 Archive¶
To remove a PKCS#12 archive entry, for example to replace it with a new archive
with different encryption options, use the delete
operation:
tnsr# pki pkcs12 <certname> delete
Note
This removes the PKCS#12 archive file from /etc/pki/tls/tnsr/certs/
, it
does not remove the copies of the file placed in the home directory of
the CLI user which generated the archives.