Question

When using the same key and certificate file to create a PKCS12 (PKCS#12 / p12) file, I noticed that consecutive calls to OpenSSL's pkcs12 capability yields different ENCRYPTED PRIVATE KEY content each time (I'm also using the same import password and PEM passphrase). Is this supposed to happen? I'm guessing it has something to do with a different IV (initialization vector) or salt related to a symmetric encryption of the private key, but I wanted to be sure.

I use the following command to create the cred1.p12 and cred2.p12 files:

openssl pkcs12 -export -in certs/cert.pem -out cred1.p12 -name "My credentials" -inkey private/key.pem
openssl pkcs12 -export -in certs/cert.pem -out cred2.p12 -name "My credentials" -inkey private/key.pem

When I compare the resulting .p12 files (diff cred1.p12 cred2.p12 results in binary differences) I use the following command to create the two PKCS12 info text files, upon which I perform another diff.

 openssl pkcs12 -info -in cred1.p12 > a.txt
 openssl pkcs12 -info -in cred2.p12 > b.txt
 diff a.txt b.txt

And the only differences lie between the -----BEGIN ENCRYPTED PRIVATE KEY----- and -----END ENCRYPTED PRIVATE KEY----- tags where the private key content is held.

Thanks in advance!

Was it helpful?

Solution

Yes, this is expected behavior. OpenSSL uses DES-EDE3 by default for encrypting the private key in a PKCS12 file. Each time you encrypt it's generating a random initialization vector, which will change the encrypted payload. When you look at the -info output you'll see something like this:

DEK-Info: DES-EDE3-CBC,558C30D119D6944F

The data after the comma is the hex encoded 8 byte salt.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top