Export a PKCS#12 file without an export password?

Question

I am generating exporting some pkcs#12 files for testing purposes. These files are not being used in production and only exist temporary during automated testing.

I

Answer 1

To generate unencrypted PKCS12 file with just OpenSSL command line utility, call following command:

$ openssl pkcs12 -export -keypbe NONE -certpbe NONE -nomaciter -passout pass: -out bundle.pfx -inkey mykey.key -in certificate.crt -certfile ca-cert.crt

When encryption algorithm for private key (-keypbe) and certificate (-certpbe) is set to NONE then openssl's pkcs12 library ignores password argument and does not encrypt private key and certificate.

This can be verified by openssl pkcs12 -info command:

$ openssl pkcs12 -info -in bundle.pfx -noout -passin pass:
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Data
Certificate bag
Certificate bag
PKCS7 Data
Key bag

Please note that when reading existing PKCS12 file with openssl command line tool, it is needed to specify -passin pass: argument even when data are not encrypted. This is because openssl command line tools cannot detect if PKCS12 file is encrypted or not. When empty password is specified then openssl first tries to read file as unencrypted. And if it fails then openssl tries to read that file as encrypted with empty password.

When I generate bundle.pfx without specifying -keypbe NONE -certpbe NONE -nomaciter arguments then openssl pkcs12 -info shows following:

$ openssl pkcs12 -info -in bundle.pfx -noout -passin pass:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

So data are in this case encrypted with empty password.