From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Sat, 16 Jul 2005 17:33:25 +0400 From: "Konstantin A. Lepikhov" To: ALT Linux Devel Mailing List Message-ID: <20050716133325.GA8790@lks.home> Mail-Followup-To: ALT Linux Devel Mailing List Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="9amGYk9869ThD9tj" Content-Disposition: inline X-Operation-System: ALT Linux Sisyphus (20050702) 2.6.12-std26-up-alt1 User-Agent: Mutt/1.5.8+cvs20050213i X-Virus-Scanned: by amavisd-new at smtp.elektrostal.ru Subject: [devel] [steve@openssl.org: Re: P12 vs PFX] X-BeenThere: devel@altlinux.ru X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ALT Devel discussion list List-Id: ALT Devel discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jul 2005 13:33:33 -0000 Archived-At: List-Archive: List-Post: --9amGYk9869ThD9tj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! JFYI ----- Forwarded message from "Dr. Stephen Henson" ----- Date: Mon, 4 Jul 2005 14:30:55 +0200 =46rom: "Dr. Stephen Henson" To: openssl-users@ Subject: Re: P12 vs PFX On Mon, Jul 04, 2005, stvv@ wrote: >=20 > Hi guys, > I've got some simple questions. Are *.pfx and *.p12 files > interchangeable? AFAIK the .pfx is something like a not > fully implemented subset of .p12. Are there applications > that accept only one of the two formats? My experiments > show that changing the postfix .p12 to .pfx or the opposite > does the job. >=20 > 10x in advance >=20 Short answer: nowadays the terms "PFX" and "PKCS12" can be used interchanga= bly and files with either extension are equivalent. Both conform to the PKCS#12 specification. Longer answer: historically a standard was developed to be a format which could encode and encrypt certificates and private keys. That was developed = by Microsoft and was called "PFX". Netscape implemented it as well. Very little interop testing was done and as a result all manner of peculiarities had to= be implemented to handle it properly, including two different and broken key derivation algorithms the details of which weren't (AFAIK) ever made public. [One of the first projects I ever did involving ASN1 and SSLeay (no OpenSSL back then) was a working implementation of PFX (its still on my website somewhere). After that nightmare other things seem tame in comparison] The only browser that implemented it fully AFAIK was Netscape 4.03. Several versions of MSIE transparently support PFX import only (it may still do). Shortly afterwards the PKCS#12 standard was adopted instead which, while it may have its problems, was wonderful compared to PFX. This "original broken PFX" format has now effectively been consigned to the dustbin of history. However Microsoft for their own reasons still use the t= erm "PFX files" and the extension ".pfx" whereas other people (including me) normally use the term "PKCS#12 files". Steve. --=20 Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@ Automated List Manager majordomo@ ----- End forwarded message ----- --=20 WBR, Konstantin chat with =3D=3D>ICQ: 109916175 Lepikhov, speak to =3D=3D>JID: lakostis@jabber.org aka L.A. Kostis write to =3D=3D>mailto:lakostis@pisem.net.nospam =2E..The information is like the bank... (c) EC8OR --9amGYk9869ThD9tj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC2Qyl3TEpd8GO1nMRAir0AKCAaU1G6+gTk6qdOUz4pjoHjMqrAwCfU1tR wCimrI0L9gJy+j7rs0uS+qM= =Bsj4 -----END PGP SIGNATURE----- --9amGYk9869ThD9tj--