Question
When using the same key and certificate file to create a PKCS12 (PKCS#12 / p12) file, I noticed that consecutive calls to OpenSSL's pkcs12 capability yields different ENCRYPTED PRIVATE KEY content each time (I'm also using the same import password and PEM passphrase). Is this supposed to happen? I'm guessing it has something to do with a different IV (initialization vector) or salt related to a symmetric encryption of the private key, but I wanted to be sure.
I use the following command to create the cred1.p12 and cred2.p12 files:
https://stackoverflow.com/questions/17798341
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianopenssl pkcs12 -export -in certs/cert.pem -out cred1.p12 -name "My credentials" -inkey private/key.pem
openssl pkcs12 -export -in certs/cert.pem -out cred2.p12 -name "My credentials" -inkey private/key.pem
When I compare the resulting .p12 files (diff cred1.p12 cred2.p12 results in binary differences) I use the following command to create the two PKCS12 info text files, upon which I perform another diff.
openssl pkcs12 -info -in cred1.p12 > a.txt
openssl pkcs12 -info -in cred2.p12 > b.txt
diff a.txt b.txt
And the only differences lie between the -----BEGIN ENCRYPTED PRIVATE KEY----- and -----END ENCRYPTED PRIVATE KEY----- tags where the private key content is held.
Thanks in advance!
Solution
Yes, this is expected behavior. OpenSSL uses DES-EDE3 by default for encrypting the private key in a PKCS12 file. Each time you encrypt it's generating a random initialization vector, which will change the encrypted payload. When you look at the -info output you'll see something like this:
DEK-Info: DES-EDE3-CBC,558C30D119D6944F
The data after the comma is the hex encoded 8 byte salt.
