From 96fc4b72506c1573fd80cfc1d2e5ca4d3d0c2b3f Mon Sep 17 00:00:00 2001 From: rfkrocktk Date: Tue, 3 Jun 2014 15:24:49 -0700 Subject: [PATCH] Added documentation for -iter for PKCS#8 --- doc/apps/pkcs8.pod | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/doc/apps/pkcs8.pod b/doc/apps/pkcs8.pod index 6901f1f3f2..e946cbdfaf 100644 --- a/doc/apps/pkcs8.pod +++ b/doc/apps/pkcs8.pod @@ -14,6 +14,7 @@ B B [B<-passin arg>] [B<-out filename>] [B<-passout arg>] +[B<-iter count>] [B<-noiter>] [B<-nocrypt>] [B<-nooct>] @@ -76,6 +77,12 @@ filename. the output file password source. For more information about the format of B see the B section in L. +=item B<-iter count> + +When creating new PKCS#8 containers, use a given number of iterations on the password +in deriving the encryption key for the PKCS#8 output. High values increase the time +required to brute-force a PKCS#8 container. + =item B<-nocrypt> PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo @@ -224,6 +231,11 @@ Read a DER unencrypted PKCS#8 format private key: Convert a private key from any PKCS#8 format to traditional format: openssl pkcs8 -in pk8.pem -out key.pem + +Convert a private key to PKCS#8 format, encrypting with AES-256 and with +one million iterations of the password: + + openssl pkcs8 -in raw.pem -topk8 -v2 aes-256-cbc -iter 1000000 -out pk8.pem =head1 STANDARDS