I'm creating my certificates like this:

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -key rootCA.key -sha512 -days 36501 -out rootCA.pem \
-extensions v3_req 

openssl genrsa -out client1.key 2048
openssl req -new -key client1.key -sha512 -days 36500 -out client1.csr \
-extensions v3_req 

openssl x509 -req -days 36500 -CA rootCA.pem -CAkey rootCA.key \
-CAcreateserial -CAserial serial -in client1.csr -out client1.pem

openssl verify -verbose -CAfile rootCA.pem client1.pem

openssl pkcs12 -export -in client1.pem -inkey client1.key -out client1.p12 -name "client1"

I want the .p12 certificate to use sha512 algorithmn. I thought about adding the option -sha512 to the convertion (last line) but it seems like pkcs12 doesn't got this option. Any ideas?

PKCS#12 supports the following encryption algorithms for private key encryption.

• 128 bit RC4 with SHA1
• 40 bit RC4 with SHA1
• 3 key triple DES with SHA1 (168 bits)
• 2 key triple DES with SHA1 (112 bits)
• 128 bit RC2 with SHA1
• 40 bit RC2 with SHA1

3 key triple DES is used by default so no need to give -des3 if you prefer it.

You can output some info from the generated pkcs12 file with the following command:

openssl pkcs12 -in client1.p12 -noout -info

As a side note, when you generate the x509 client cert you need to give -sha512 argument if you want to use sha-512 hashing function.

Verify whether sha512 hash function was actually used:

openssl x509 -in client1.pem -noout -text

If not, then recreate it with -sha512

openssl x509 -sha512 -req -days 36500 -CA rootCA.pem -CAkey rootCA.key \
-CAcreateserial -CAserial serial -in client1.csr -out client1.pem