Bug 1406891, Make pk12util documentation mention only working ciphers, r=hkario, r=kaie

author: Daiki Ueno <dueno@redhat.com> 2017-10-09 12:05:37 +0200
committer: Daiki Ueno <dueno@redhat.com> 2017-10-09 12:05:37 +0200
commit: f99f128cccb4e9f8f3eccf1d2283b1b6651f3f1d (patch)
tree: b34affb760f5a5c55fc8b272f173a449b1f50fbe /doc
parent: 09f8a6bc62b24545abf886657f30cf5a5047d3f1 (diff)
download: nss-hg-f99f128cccb4e9f8f3eccf1d2283b1b6651f3f1d.tar.gz
3 files changed, 88 insertions, 277 deletions
diff --git a/doc/html/pk12util.html b/doc/html/pk12util.html
index fe516dd83..94dbf51e9 100644
--- a/doc/html/pk12util.html
+++ b/doc/html/pk12util.html
@@ -1,6 +1,6 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PK12UTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PK12UTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PK12UTIL</th></tr></table><hr></div><div class="refentry"><a name="pk12util"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pk12util</code>  [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p></div></div><div class="refsection"><a name="idm233250345408"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
-    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS#12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS#12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS#12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the key cert (overall package) encryption algorithm.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-m | --key-len  keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len  certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case. 
-          Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-r</span></dt><dd><p>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</p></dd><dt><span class="term">-v </span></dt><dd><p>Enable debug logging when importing.</p></dd><dt><span class="term">-w p12filePasswordFile</span></dt><dd><p>Specify the text file containing the pkcs #12 file password.</p></dd><dt><span class="term">-W p12filePassword</span></dt><dd><p>Specify the pkcs #12 file password.</p></dd></dl></div></div><div class="refsection"><a name="return-codes"></a><h2>Return Codes</h2><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> 0 - No error</p></li><li class="listitem"><p> 1 - User Cancelled</p></li><li class="listitem"><p> 2 - Usage error</p></li><li class="listitem"><p> 6 - NLS init error</p></li><li class="listitem"><p> 8 - Certificate DB open error</p></li><li class="listitem"><p> 9 - Key DB open error</p></li><li class="listitem"><p> 10 - File initialization error</p></li><li class="listitem"><p> 11 - Unicode conversion error</p></li><li class="listitem"><p> 12 - Temporary file creation error</p></li><li class="listitem"><p> 13 - PKCS11 get slot error</p></li><li class="listitem"><p> 14 - PKCS12 decoder start error</p></li><li class="listitem"><p> 15 - error read from import file</p></li><li class="listitem"><p> 16 - pkcs12 decode error</p></li><li class="listitem"><p> 17 - pkcs12 decoder verify error</p></li><li class="listitem"><p> 18 - pkcs12 decoder validate bags error</p></li><li class="listitem"><p> 19 - pkcs12 decoder import bags error</p></li><li class="listitem"><p> 20 - key db conversion version 3 to version 2 error</p></li><li class="listitem"><p> 21 - cert db conversion version 7 to version 5 error</p></li><li class="listitem"><p> 22 - cert and key dbs patch error</p></li><li class="listitem"><p> 23 - get default cert db error</p></li><li class="listitem"><p> 24 - find cert by nickname error</p></li><li class="listitem"><p> 25 - create export context error</p></li><li class="listitem"><p> 26 - PKCS12 add password itegrity error</p></li><li class="listitem"><p> 27 - cert and key Safes creation error</p></li><li class="listitem"><p> 28 - PKCS12 add cert and key error</p></li><li class="listitem"><p> 29 - PKCS12 encode error</p></li></ul></div></div><div class="refsection"><a name="examples"></a><h2>Examples</h2><p><span class="command"><strong>Importing Keys and Certificates</strong></span></p><p>The most basic usage of <span class="command"><strong>pk12util</strong></span> for importing a certificate or key is the PKCS#12 input file (<code class="option">-i</code>) and some way to specify the security database being accessed (either <code class="option">-d</code> for a directory or <code class="option">-h</code> for a token).
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PK12UTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="PK12UTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PK12UTIL</th></tr></table><hr></div><div class="refentry"><a name="pk12util"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pk12util</code>  [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p></div></div><div class="refsection"><a name="idm139975398059856"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS #12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS #12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS #12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the certiticate encryption algorithm.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-m | --key-len  keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len  certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case. 
+          Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-r</span></dt><dd><p>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</p></dd><dt><span class="term">-v </span></dt><dd><p>Enable debug logging when importing.</p></dd><dt><span class="term">-w p12filePasswordFile</span></dt><dd><p>Specify the text file containing the pkcs #12 file password.</p></dd><dt><span class="term">-W p12filePassword</span></dt><dd><p>Specify the pkcs #12 file password.</p></dd></dl></div></div><div class="refsection"><a name="return-codes"></a><h2>Return Codes</h2><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> 0 - No error</p></li><li class="listitem"><p> 1 - User Cancelled</p></li><li class="listitem"><p> 2 - Usage error</p></li><li class="listitem"><p> 6 - NLS init error</p></li><li class="listitem"><p> 8 - Certificate DB open error</p></li><li class="listitem"><p> 9 - Key DB open error</p></li><li class="listitem"><p> 10 - File initialization error</p></li><li class="listitem"><p> 11 - Unicode conversion error</p></li><li class="listitem"><p> 12 - Temporary file creation error</p></li><li class="listitem"><p> 13 - PKCS11 get slot error</p></li><li class="listitem"><p> 14 - PKCS12 decoder start error</p></li><li class="listitem"><p> 15 - error read from import file</p></li><li class="listitem"><p> 16 - pkcs12 decode error</p></li><li class="listitem"><p> 17 - pkcs12 decoder verify error</p></li><li class="listitem"><p> 18 - pkcs12 decoder validate bags error</p></li><li class="listitem"><p> 19 - pkcs12 decoder import bags error</p></li><li class="listitem"><p> 20 - key db conversion version 3 to version 2 error</p></li><li class="listitem"><p> 21 - cert db conversion version 7 to version 5 error</p></li><li class="listitem"><p> 22 - cert and key dbs patch error</p></li><li class="listitem"><p> 23 - get default cert db error</p></li><li class="listitem"><p> 24 - find cert by nickname error</p></li><li class="listitem"><p> 25 - create export context error</p></li><li class="listitem"><p> 26 - PKCS12 add password itegrity error</p></li><li class="listitem"><p> 27 - cert and key Safes creation error</p></li><li class="listitem"><p> 28 - PKCS12 add cert and key error</p></li><li class="listitem"><p> 29 - PKCS12 encode error</p></li></ul></div></div><div class="refsection"><a name="examples"></a><h2>Examples</h2><p><span class="command"><strong>Importing Keys and Certificates</strong></span></p><p>The most basic usage of <span class="command"><strong>pk12util</strong></span> for importing a certificate or key is the PKCS #12 input file (<code class="option">-i</code>) and some way to specify the security database being accessed (either <code class="option">-d</code> for a directory or <code class="option">-h</code> for a token).
     </p><p>
     pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
     </p><p>For example:</p><p> </p><pre class="programlisting"># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
@@ -12,7 +12,7 @@ and should contain at least one non-alphabetic character.
 Enter new password: 
 Re-enter password: 
 Enter password for PKCS12 file: 
-pk12util: PKCS12 IMPORT SUCCESSFUL</pre><p><span class="command"><strong>Exporting Keys and Certificates</strong></span></p><p>Using the <span class="command"><strong>pk12util</strong></span> command to export certificates and keys requires both the name of the certificate to extract from the database (<code class="option">-n</code>) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
+pk12util: PKCS12 IMPORT SUCCESSFUL</pre><p><span class="command"><strong>Exporting Keys and Certificates</strong></span></p><p>Using the <span class="command"><strong>pk12util</strong></span> command to export certificates and keys requires both the name of the certificate to extract from the database (<code class="option">-n</code>) and the PKCS #12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
     </p><p>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p><p>For example:</p><pre class="programlisting"># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb
 Enter password for PKCS12 file: 
 Re-enter password: </pre><p><span class="command"><strong>Listing Keys and Certificates</strong></span></p><p>The information in a <code class="filename">.p12</code> file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the <code class="filename">.p12</code> file.
@@ -48,7 +48,7 @@ Key(shrouded):
 Certificate    Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting
 
 Certificate    Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
-    </pre></div><div class="refsection"><a name="encryption"></a><h2>Password Encryption</h2><p>PKCS#12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package. If no algorithm is specified, the tool defaults to using <span class="command"><strong>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</strong></span> for private key encryption. <span class="command"><strong>PKCS12 V2 PBE with SHA1 and 40 Bit RC4</strong></span> is the default for the overall package encryption when not in FIPS mode. When in FIPS mode, there is no package encryption.</p><p>The private key is always protected with strong encryption by default.</p><p>Several types of ciphers are supported.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Symmetric CBC ciphers for PKCS#5 V2</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>DES-CBC</p></li><li class="listitem"><p>RC2-CBC</p></li><li class="listitem"><p>RC5-CBCPad</p></li><li class="listitem"><p>DES-EDE3-CBC (the default for key encryption)</p></li><li class="listitem"><p>AES-128-CBC</p></li><li class="listitem"><p>AES-192-CBC</p></li><li class="listitem"><p>AES-256-CBC</p></li><li class="listitem"><p>CAMELLIA-128-CBC</p></li><li class="listitem"><p>CAMELLIA-192-CBC</p></li><li class="listitem"><p>CAMELLIA-256-CBC</p></li></ul></div></dd><dt><span class="term">PKCS#12 PBE ciphers</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PKCS #12 PBE with Sha1 and 128 Bit RC4</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 40 Bit RC4</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and Triple DES CBC</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</p></li></ul></div></dd><dt><span class="term">PKCS#5 PBE ciphers</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PKCS #5 Password Based Encryption with MD2 and DES CBC</p></li><li class="listitem"><p>PKCS #5 Password Based Encryption with MD5 and DES CBC</p></li><li class="listitem"><p>PKCS #5 Password Based Encryption with SHA1 and DES CBC</p></li></ul></div></dd></dl></div><p>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <span class="emphasis"><em>no security module can perform the requested operation</em></span>.</p></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information. 
+    </pre></div><div class="refsection"><a name="encryption"></a><h2>Password Encryption</h2><p>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify <strong class="userinput"><code>"NONE"</code></strong> as the argument of the <code class="option">-C</code> option.</p><p>The private key is always protected with strong encryption by default.</p><p>Several types of ciphers are supported.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">PKCS #5 password-based encryption</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PBES2 with AES-CBC-Pad as underlying encryption scheme (<strong class="userinput"><code>"AES-128-CBC"</code></strong>, <strong class="userinput"><code>"AES-192-CBC"</code></strong>, and <strong class="userinput"><code>"AES-256-CBC"</code></strong>)</p></li></ul></div></dd><dt><span class="term">PKCS #12 password-based encryption</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>SHA-1 and 128-bit RC4 (<strong class="userinput"><code>"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4"</code></strong> or <strong class="userinput"><code>"RC4"</code></strong>)</p></li><li class="listitem"><p>SHA-1 and 40-bit RC4 (<strong class="userinput"><code>"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4"</code></strong>) (used by default for certificate encryption in non-FIPS mode)</p></li><li class="listitem"><p>SHA-1 and 3-key triple-DES (<strong class="userinput"><code>"PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC"</code></strong> or <strong class="userinput"><code>"DES-EDE3-CBC"</code></strong>)</p></li><li class="listitem"><p>SHA-1 and 128-bit RC2 (<strong class="userinput"><code>"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC"</code></strong> or <strong class="userinput"><code>"RC2-CBC"</code></strong>)</p></li><li class="listitem"><p>SHA-1 and 40-bit RC2 (<strong class="userinput"><code>"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC"</code></strong>)</p></li></ul></div></dd></dl></div><p>With PKCS #12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <span class="emphasis"><em>no security module can perform the requested operation</em></span>.</p></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information. 
 The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
 			cert8.db for certificates
 		</p></li><li class="listitem"><p>
@@ -68,7 +68,7 @@ BerkleyDB. These new databases provide more accessibility and performance:</p><d
 Using the SQLite databases must be manually specified by using the <span class="command"><strong>sql:</strong></span> prefix with the given security directory. For example:</p><pre class="programlisting"># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb</pre><p>To set the shared database type as the default type for the tools, set the <code class="envar">NSS_DEFAULT_DB_TYPE</code> environment variable to <code class="envar">sql</code>:</p><pre class="programlisting">export NSS_DEFAULT_DB_TYPE="sql"</pre><p>This line can be set added to the <code class="filename">~/.bashrc</code> file to make the change permanent.</p><p>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
 			https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li></ul></div><p>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
 			https://wiki.mozilla.org/NSS_Shared_DB
-		</p></li></ul></div></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>certutil (1)</p><p>modutil (1)</p><p>The NSS wiki has information on the new database design and how to configure applications to use it.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+		</p></li></ul></div></div><div class="refsection"><a name="compatibility"></a><h2>Compatibility Notes</h2><p>The exporting behavior of <span class="command"><strong>pk12util</strong></span> has changed over time, while importing files exported with older versions of NSS is still supported.</p><p>Until the 3.30 release, <span class="command"><strong>pk12util</strong></span> used the UTF-16 encoding for the PKCS #5 password-based encryption schemes, while the recommendation is to encode passwords in UTF-8 if the used encryption scheme is defined outside of the PKCS #12 standard.</p><p>Until the 3.31 release, even when <strong class="userinput"><code>"AES-128-CBC"</code></strong> or <strong class="userinput"><code>"AES-192-CBC"</code></strong> is given from the command line, <span class="command"><strong>pk12util</strong></span> always used 256-bit AES as the underlying encryption scheme.</p><p>For historical reasons, <span class="command"><strong>pk12util</strong></span> accepts password-based encryption schemes not listed in this document.  However, those schemes are not officially supported and may have issues in interoperability with other tools.</p></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>certutil (1)</p><p>modutil (1)</p><p>The NSS wiki has information on the new database design and how to configure applications to use it.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
 			https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li><li class="listitem"><p>
 			https://wiki.mozilla.org/NSS_Shared_DB
 		</p></li></ul></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</p><p>
diff --git a/doc/nroff/pk12util.1 b/doc/nroff/pk12util.1
index c4fa972c0..e0a8da833 100644
--- a/doc/nroff/pk12util.1
+++ b/doc/nroff/pk12util.1
@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: PK12UTIL
 .\"    Author: [see the "Authors" section]
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date:  5 June 2014
+.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\"      Date: 27 October 2017
 .\"    Manual: NSS Security Tools
 .\"    Source: nss-tools
 .\"  Language: English
 .\"
-.TH "PK12UTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
+.TH "PK12UTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -39,24 +39,24 @@ This documentation is still work in progress\&. Please contribute to the initial
 .SH "DESCRIPTION"
 .PP
 The PKCS #12 utility,
-\fBpk12util\fR, enables sharing certificates among any server that supports PKCS#12\&. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys\&.
+\fBpk12util\fR, enables sharing certificates among any server that supports PKCS #12\&. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys\&.
 .SH "OPTIONS AND ARGUMENTS"
 .PP
 \fBOptions\fR
 .PP
 \-i p12file
 .RS 4
-Import keys and certificates from a PKCS#12 file into a security database\&.
+Import keys and certificates from a PKCS #12 file into a security database\&.
 .RE
 .PP
 \-l p12file
 .RS 4
-List the keys and certificates in PKCS#12 file\&.
+List the keys and certificates in PKCS #12 file\&.
 .RE
 .PP
 \-o p12file
 .RS 4
-Export keys and certificates from the security database to a PKCS#12 file\&.
+Export keys and certificates from the security database to a PKCS #12 file\&.
 .RE
 .PP
 \fBArguments\fR
@@ -68,7 +68,7 @@ Specify the key encryption algorithm\&.
 .PP
 \-C certCipher
 .RS 4
-Specify the key cert (overall package) encryption algorithm\&.
+Specify the certiticate encryption algorithm\&.
 .RE
 .PP
 \-d [sql:]directory
@@ -432,7 +432,7 @@ Specify the pkcs #12 file password\&.
 .PP
 The most basic usage of
 \fBpk12util\fR
-for importing a certificate or key is the PKCS#12 input file (\fB\-i\fR) and some way to specify the security database being accessed (either
+for importing a certificate or key is the PKCS #12 input file (\fB\-i\fR) and some way to specify the security database being accessed (either
 \fB\-d\fR
 for a directory or
 \fB\-h\fR
@@ -467,7 +467,7 @@ pk12util: PKCS12 IMPORT SUCCESSFUL
 .PP
 Using the
 \fBpk12util\fR
-command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS#12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&.
+command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS #12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&.
 .PP
 pk12util \-o p12File \-n certname [\-c keyCipher] [\-C certCipher] [\-m|\-\-key_len keyLen] [\-n|\-\-cert_key_len certKeyLen] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword]
 .PP
@@ -559,17 +559,17 @@ Certificate    Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pt
 .\}
 .SH "PASSWORD ENCRYPTION"
 .PP
-PKCS#12 provides for not only the protection of the private keys but also the certificate and meta\-data associated with the keys\&. Password\-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package\&. If no algorithm is specified, the tool defaults to using
-\fBPKCS12 V2 PBE with SHA1 and 3KEY Triple DES\-cbc\fR
-for private key encryption\&.
-\fBPKCS12 V2 PBE with SHA1 and 40 Bit RC4\fR
-is the default for the overall package encryption when not in FIPS mode\&. When in FIPS mode, there is no package encryption\&.
+PKCS #12 provides for not only the protection of the private keys but also the certificate and meta\-data associated with the keys\&. Password\-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates\&. If no algorithm is specified, the tool defaults to using PKCS #12 SHA\-1 and 3\-key triple DES for private key encryption\&. When not in FIPS mode, PKCS #12 SHA\-1 and 40\-bit RC4 is used for certificate encryption\&. When in FIPS mode, there is no certificate encryption\&. If certificate encryption is not wanted, specify
+\fB"NONE"\fR
+as the argument of the
+\fB\-C\fR
+option\&.
 .PP
 The private key is always protected with strong encryption by default\&.
 .PP
 Several types of ciphers are supported\&.
 .PP
-Symmetric CBC ciphers for PKCS#5 V2
+PKCS #5 password\-based encryption
 .RS 4
 .sp
 .RS 4
@@ -580,110 +580,13 @@ Symmetric CBC ciphers for PKCS#5 V2
 .sp -1
 .IP \(bu 2.3
 .\}
-DES\-CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-RC2\-CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-RC5\-CBCPad
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-DES\-EDE3\-CBC (the default for key encryption)
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-AES\-128\-CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-AES\-192\-CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-AES\-256\-CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-CAMELLIA\-128\-CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-CAMELLIA\-192\-CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-CAMELLIA\-256\-CBC
+PBES2 with AES\-CBC\-Pad as underlying encryption scheme (\fB"AES\-128\-CBC"\fR,
+\fB"AES\-192\-CBC"\fR, and
+\fB"AES\-256\-CBC"\fR)
 .RE
 .RE
 .PP
-PKCS#12 PBE ciphers
+PKCS #12 password\-based encryption
 .RS 4
 .sp
 .RS 4
@@ -694,7 +597,9 @@ PKCS#12 PBE ciphers
 .sp -1
 .IP \(bu 2.3
 .\}
-PKCS #12 PBE with Sha1 and 128 Bit RC4
+SHA\-1 and 128\-bit RC4 (\fB"PKCS #12 V2 PBE With SHA\-1 And 128 Bit RC4"\fR
+or
+\fB"RC4"\fR)
 .RE
 .sp
 .RS 4
@@ -705,7 +610,7 @@ PKCS #12 PBE with Sha1 and 128 Bit RC4
 .sp -1
 .IP \(bu 2.3
 .\}
-PKCS #12 PBE with Sha1 and 40 Bit RC4
+SHA\-1 and 40\-bit RC4 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40 Bit RC4"\fR) (used by default for certificate encryption in non\-FIPS mode)
 .RE
 .sp
 .RS 4
@@ -716,7 +621,9 @@ PKCS #12 PBE with Sha1 and 40 Bit RC4
 .sp -1
 .IP \(bu 2.3
 .\}
-PKCS #12 PBE with Sha1 and Triple DES CBC
+SHA\-1 and 3\-key triple\-DES (\fB"PKCS #12 V2 PBE With SHA\-1 And 3KEY Triple DES\-CBC"\fR
+or
+\fB"DES\-EDE3\-CBC"\fR)
 .RE
 .sp
 .RS 4
@@ -727,7 +634,9 @@ PKCS #12 PBE with Sha1 and Triple DES CBC
 .sp -1
 .IP \(bu 2.3
 .\}
-PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC
+SHA\-1 and 128\-bit RC2 (\fB"PKCS #12 V2 PBE With SHA\-1 And 128 Bit RC2 CBC"\fR
+or
+\fB"RC2\-CBC"\fR)
 .RE
 .sp
 .RS 4
@@ -738,114 +647,11 @@ PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC
 .sp -1
 .IP \(bu 2.3
 .\}
-PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS12 V2 PBE with SHA1 and 128 Bit RC4
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non\-FIPS mode)
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS12 V2 PBE with SHA1 and 3KEY Triple DES\-cbc
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS12 V2 PBE with SHA1 and 2KEY Triple DES\-cbc
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC
+SHA\-1 and 40\-bit RC2 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40 Bit RC2 CBC"\fR)
 .RE
 .RE
 .PP
-PKCS#5 PBE ciphers
-.RS 4
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS #5 Password Based Encryption with MD2 and DES CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS #5 Password Based Encryption with MD5 and DES CBC
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-PKCS #5 Password Based Encryption with SHA1 and DES CBC
-.RE
-.RE
-.PP
-With PKCS#12, the crypto provider may be the soft token module or an external hardware module\&. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default)\&. If no suitable replacement for the desired algorithm can be found, the tool returns the error
+With PKCS #12, the crypto provider may be the soft token module or an external hardware module\&. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default)\&. If no suitable replacement for the desired algorithm can be found, the tool returns the error
 \fIno security module can perform the requested operation\fR\&.
 .SH "NSS DATABASE TYPES"
 .PP
@@ -987,6 +793,27 @@ For an engineering draft on the changes in the shared NSS databases, see the NSS
 .\}
 https://wiki\&.mozilla\&.org/NSS_Shared_DB
 .RE
+.SH "COMPATIBILITY NOTES"
+.PP
+The exporting behavior of
+\fBpk12util\fR
+has changed over time, while importing files exported with older versions of NSS is still supported\&.
+.PP
+Until the 3\&.30 release,
+\fBpk12util\fR
+used the UTF\-16 encoding for the PKCS #5 password\-based encryption schemes, while the recommendation is to encode passwords in UTF\-8 if the used encryption scheme is defined outside of the PKCS #12 standard\&.
+.PP
+Until the 3\&.31 release, even when
+\fB"AES\-128\-CBC"\fR
+or
+\fB"AES\-192\-CBC"\fR
+is given from the command line,
+\fBpk12util\fR
+always used 256\-bit AES as the underlying encryption scheme\&.
+.PP
+For historical reasons,
+\fBpk12util\fR
+accepts password\-based encryption schemes not listed in this document\&. However, those schemes are not officially supported and may have issues in interoperability with other tools\&.
 .SH "SEE ALSO"
 .PP
 certutil (1)
diff --git a/doc/pk12util.xml b/doc/pk12util.xml
index 03ee356e6..c26794965 100644
--- a/doc/pk12util.xml
+++ b/doc/pk12util.xml
@@ -46,7 +46,7 @@
 
   <refsection id="description">
     <title>Description</title>
-    <para>The PKCS #12 utility, <command>pk12util</command>, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.</para>
+    <para>The PKCS #12 utility, <command>pk12util</command>, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.</para>
   </refsection>
   
   <refsection id="options">
@@ -55,17 +55,17 @@
     <variablelist>
       <varlistentry>
         <term>-i p12file</term>
-        <listitem><para>Import keys and certificates from a PKCS#12 file into a security database.</para></listitem>
+        <listitem><para>Import keys and certificates from a PKCS #12 file into a security database.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-l p12file</term>
-        <listitem><para>List the keys and certificates in PKCS#12 file.</para></listitem>
+        <listitem><para>List the keys and certificates in PKCS #12 file.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-o p12file</term>
-        <listitem><para>Export keys and certificates from the security database to a PKCS#12 file.</para></listitem>
+        <listitem><para>Export keys and certificates from the security database to a PKCS #12 file.</para></listitem>
       </varlistentry>
     </variablelist>
 
@@ -78,7 +78,7 @@
 
       <varlistentry>
         <term>-C certCipher</term>
-        <listitem><para>Specify the key cert (overall package) encryption algorithm.</para></listitem>
+        <listitem><para>Specify the certiticate encryption algorithm.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -233,7 +233,7 @@
   <refsection id="examples">
     <title>Examples</title>
     <para><command>Importing Keys and Certificates</command></para>
-    <para>The most basic usage of <command>pk12util</command> for importing a certificate or key is the PKCS#12 input file (<option>-i</option>) and some way to specify the security database being accessed (either <option>-d</option> for a directory or <option>-h</option> for a token).
+    <para>The most basic usage of <command>pk12util</command> for importing a certificate or key is the PKCS #12 input file (<option>-i</option>) and some way to specify the security database being accessed (either <option>-d</option> for a directory or <option>-h</option> for a token).
     </para>
     <para>
     pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
@@ -252,7 +252,7 @@ Enter password for PKCS12 file:
 pk12util: PKCS12 IMPORT SUCCESSFUL</programlisting>
 
     <para><command>Exporting Keys and Certificates</command></para>
-    <para>Using the <command>pk12util</command> command to export certificates and keys requires both the name of the certificate to extract from the database (<option>-n</option>) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
+    <para>Using the <command>pk12util</command> command to export certificates and keys requires both the name of the certificate to extract from the database (<option>-n</option>) and the PKCS #12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
     </para>
     <para>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</para>
     <para>For example:</para>
@@ -304,58 +304,34 @@ Certificate    Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) L
 
   <refsection id="encryption">
     <title>Password Encryption</title>
-    <para>PKCS#12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package. If no algorithm is specified, the tool defaults to using <command>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</command> for private key encryption. <command>PKCS12 V2 PBE with SHA1 and 40 Bit RC4</command> is the default for the overall package encryption when not in FIPS mode. When in FIPS mode, there is no package encryption.</para>
+    <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
     <para>The private key is always protected with strong encryption by default.</para>
     <para>Several types of ciphers are supported.</para>
     <variablelist>
     
       <varlistentry>
-        <term>Symmetric CBC ciphers for PKCS#5 V2</term>
+        <term>PKCS #5 password-based encryption</term>
         <listitem>
-	     <itemizedlist>
-	       <listitem><para>DES-CBC</para></listitem>
-	       <listitem><para>RC2-CBC</para></listitem>
-	       <listitem><para>RC5-CBCPad</para></listitem>
-	       <listitem><para>DES-EDE3-CBC (the default for key encryption)</para></listitem>
-	       <listitem><para>AES-128-CBC</para></listitem>
-	       <listitem><para>AES-192-CBC</para></listitem>
-	       <listitem><para>AES-256-CBC</para></listitem>
-	       <listitem><para>CAMELLIA-128-CBC</para></listitem>
-	       <listitem><para>CAMELLIA-192-CBC</para></listitem>
-	       <listitem><para>CAMELLIA-256-CBC</para></listitem>
-	     </itemizedlist>
+	  <itemizedlist>
+	    <listitem><para>PBES2 with AES-CBC-Pad as underlying encryption scheme (<userinput>"AES-128-CBC"</userinput>, <userinput>"AES-192-CBC"</userinput>, and <userinput>"AES-256-CBC"</userinput>)</para></listitem>
+	  </itemizedlist>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>PKCS#12 PBE ciphers</term>
+        <term>PKCS #12 password-based encryption</term>
         <listitem>
-	     <itemizedlist>
-	       <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC4</para></listitem>
-	       <listitem><para>PKCS #12 PBE with Sha1 and 40 Bit RC4</para></listitem>
-	       <listitem><para>PKCS #12 PBE with Sha1 and Triple DES CBC</para></listitem>
-	       <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</para></listitem>
-	       <listitem><para>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</para></listitem>
-	       <listitem><para>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</para></listitem>
-	       <listitem><para>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</para></listitem>
-	       <listitem><para>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</para></listitem>
-	       <listitem><para>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</para></listitem>
-	       <listitem><para>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</para></listitem>
-	       <listitem><para>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</para></listitem>
-	     </itemizedlist>
-        </listitem>
-      </varlistentry>
-        <varlistentry><term>PKCS#5 PBE ciphers</term>
-        <listitem>
-	     <itemizedlist>
-	       <listitem><para>PKCS #5 Password Based Encryption with MD2 and DES CBC</para></listitem>
-	       <listitem><para>PKCS #5 Password Based Encryption with MD5 and DES CBC</para></listitem>
-	       <listitem><para>PKCS #5 Password Based Encryption with SHA1 and DES CBC</para></listitem>
-	     </itemizedlist>
+	  <itemizedlist>
+	    <listitem><para>SHA-1 and 128-bit RC4 (<userinput>"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4"</userinput> or <userinput>"RC4"</userinput>)</para></listitem>
+	    <listitem><para>SHA-1 and 40-bit RC4 (<userinput>"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4"</userinput>) (used by default for certificate encryption in non-FIPS mode)</para></listitem>
+	    <listitem><para>SHA-1 and 3-key triple-DES (<userinput>"PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC"</userinput> or <userinput>"DES-EDE3-CBC"</userinput>)</para></listitem>
+	    <listitem><para>SHA-1 and 128-bit RC2 (<userinput>"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC"</userinput> or <userinput>"RC2-CBC"</userinput>)</para></listitem>
+	    <listitem><para>SHA-1 and 40-bit RC2 (<userinput>"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC"</userinput>)</para></listitem>
+	  </itemizedlist>
         </listitem>
       </varlistentry>
     </variablelist>
-    <para>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <emphasis>no security module can perform the requested operation</emphasis>.</para>
+    <para>With PKCS #12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <emphasis>no security module can perform the requested operation</emphasis>.</para>
   </refsection>
 
 <refsection id="databases"><title>NSS Database Types</title>
@@ -432,6 +408,14 @@ Using the SQLite databases must be manually specified by using the <command>sql:
 </itemizedlist>
 </refsection>
 
+  <refsection id="compatibility">
+    <title>Compatibility Notes</title>
+    <para>The exporting behavior of <command>pk12util</command> has changed over time, while importing files exported with older versions of NSS is still supported.</para>
+    <para>Until the 3.30 release, <command>pk12util</command> used the UTF-16 encoding for the PKCS #5 password-based encryption schemes, while the recommendation is to encode passwords in UTF-8 if the used encryption scheme is defined outside of the PKCS #12 standard.</para>
+    <para>Until the 3.31 release, even when <userinput>"AES-128-CBC"</userinput> or <userinput>"AES-192-CBC"</userinput> is given from the command line, <command>pk12util</command> always used 256-bit AES as the underlying encryption scheme.</para>
+    <para>For historical reasons, <command>pk12util</command> accepts password-based encryption schemes not listed in this document.  However, those schemes are not officially supported and may have issues in interoperability with other tools.</para>
+  </refsection>
+
   <refsection id="seealso">
     <title>See Also</title>
     <para>certutil (1)</para>
author	Daiki Ueno <dueno@redhat.com>	2017-10-09 12:05:37 +0200
committer	Daiki Ueno <dueno@redhat.com>	2017-10-09 12:05:37 +0200
commit	f99f128cccb4e9f8f3eccf1d2283b1b6651f3f1d (patch)
tree	b34affb760f5a5c55fc8b272f173a449b1f50fbe /doc
parent	09f8a6bc62b24545abf886657f30cf5a5047d3f1 (diff)
download	nss-hg-f99f128cccb4e9f8f3eccf1d2283b1b6651f3f1d.tar.gz