6

Why does openssl is requesting me two passwords in order to get -info of a pkcs12 key?

It's requesting me Import Password and PEM Pass Phrase:

➜  front git:(master) ✗ openssl pkcs12 -info -in front.p12  
Enter Import Password:
MAC: sha1, Iteration 102400
...
Key Attributes: <No Attributes>
Enter PEM pass phrase:

What's each one for?

Improve this question

1 Answer 1

Reset to default
3

Because with the options you have given OpenSSL will write the contents out to stdout. If the PKCS12 file contains a private key it will ask you for a pass phrase to protect this private key, which you will need to enter twice. You are therefore being asked once for the pass phrase to unlock the PKCS12 file and then twice for a new pass phrase for the exported private key.

If you only want to view the contents, add the -noout option:

openssl pkcs12 -info -in front.p12 -noout

OpenSSL will now only prompt you once for the PKCS12 unlock pass phrase.

More dangerously, you could replace the -noout with -nodes in which case the command will output the contents, including any private keys, without prompting you to encrypt the exported private keys.

Improve this answer
1
  • Perfect, so there is nothing stopping me to unlock the PFX file (Enter Import Password), and reuse exactly the same password (Enter PEM pass phrase x2) on the private key !
    – joedotnot
    Jul 4, 2022 at 13:58

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .