Allow step certificate p12 to specify a friendly name/alias

[sshipway]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

When you create a PKCS12 file from a cert/key pair, the new P12 file has the item with the alias '1'. It would be helpful to be able to specify a different alias, such as:

step certificate p12 foo.p12 foo.crt foo.key --alias foo.com

Why is this needed?

When managing keystores, some applications expect the cert/key to be referenced by the FQDN. Similarly, if you are using keytool to import the pkcs12 file into a JKS, it will try to replicate the items based on the alias. This can be overridden on the commandline, but it would be more convenient if the pkcs12 file could be created with the alias in the first place - this also removes another step from any postdeploy process.

[sshipway]

This is the command I use for importing a smallstep-generated cert without alias into a JKS:

keytool -importkeystore -srckeystore cert.p12 -srcstoretype PKCS12 \
  -destkeystore keystore  \
  -destalias foo.smxemail.com -srcalias 1

If we were able to specify the alias at creation time, I would not need to specify -destalias and -srcalias

[hslatman]

Hey @sshipway, it's surprising to see the alias is 1. IIRC it should be a concatenation of subject and the certificate fingerprint: https://github.com/smallstep/cli/blob/master/command/certificate/p12.go#L180. looks like it goes through this path, which doesn't seem to set a friendly name when it's just a cert + key: https://github.com/smallstep/cli/blob/master/command/certificate/p12.go#L153-L173.

That said, this looks to be a (partial) duplicate of #1004.