[devel] [steve@openssl.org: Re: P12 vs PFX]

["Konstantin A. Lepikhov" <lakostis@altlinux.ru>]

[-- Attachment #1: Type: text/plain, Size: 2794 bytes --]

Hi!

JFYI

----- Forwarded message from "Dr. Stephen Henson" -----

Date: Mon, 4 Jul 2005 14:30:55 +0200
From: "Dr. Stephen Henson" <steve@>
To: openssl-users@
Subject: Re: P12 vs PFX

On Mon, Jul 04, 2005, stvv@ wrote:

> 
> Hi guys,
> I've got some simple questions. Are *.pfx and *.p12 files
> interchangeable? AFAIK the .pfx is something like a not
> fully implemented subset of .p12. Are there applications
> that accept only one of the two formats? My experiments
> show that changing the postfix .p12 to .pfx or the opposite
> does the job.
> 
> 10x in advance
> 

Short answer: nowadays the terms "PFX" and "PKCS12" can be used interchangably
and files with either extension are equivalent. Both conform to the PKCS#12
specification.

Longer answer: historically a standard was developed to be a format which
could encode and encrypt certificates and private keys. That was developed by
Microsoft and was called "PFX". Netscape implemented it as well. Very little
interop testing was done and as a result all manner of peculiarities had to be
implemented to handle it properly, including two different and broken key
derivation algorithms the details of which weren't (AFAIK) ever made public.

[One of the first projects I ever did involving ASN1 and SSLeay (no OpenSSL
back then) was a working implementation of PFX (its still on my website
somewhere). After that nightmare other things seem tame in comparison]

The only browser that implemented it fully AFAIK was Netscape 4.03. Several
versions of MSIE transparently support PFX import only (it may still do).

Shortly afterwards the PKCS#12 standard was adopted instead which, while it
may have its problems, was wonderful compared to PFX.

This "original broken PFX" format has now effectively been consigned to the
dustbin of history. However Microsoft for their own reasons still use the term
"PFX files" and the extension ".pfx" whereas other people (including me)
normally use the term "PKCS#12 files".

Steve.
-- 
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@
Automated List Manager                           majordomo@

----- End forwarded message -----

-- 
WBR, Konstantin	      chat with ==>ICQ: 109916175
     Lepikhov,	      speak  to ==>JID: lakostis@jabber.org
aka L.A. Kostis       write  to ==>mailto:lakostis@pisem.net.nospam

...The information is like the bank... 			  (c) EC8OR

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]