<div dir="ltr"><div>Enhancement request:<br><br></div>make 'pkcs12' support -inform and -outform.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 13, 2017 at 9:26 AM, Gary L Peskin <span dir="ltr"><<a href="mailto:garyp@firstech.com" target="_blank">garyp@firstech.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="#0563C1" vlink="#954F72" lang="EN-US"><div class="m_3265590234408259332WordSection1"><p class="MsoNormal">Thanks VERY much Michael. That did the trick. This was a homegrown CA cert and I needed it to sign a certificate request for testing purposes.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I didn’t realize that the openssl pkcs12 utility didn’t support PEM encoding for input. I was a little confused I guess by the documentation which shows PEM encoding for “-in filename” but I see now that that’s for when exporting a PKCS#12 file, not for parsing one.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Thanks again for clearing this up. It’s weird that MS supports this input format but openssl does not. I thought openssl could do EVERYTHING. <span style="font-family:"Segoe UI Emoji",sans-serif">😊</span><u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Thanks,<u></u><u></u></p><p class="MsoNormal">Gary<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b>From:</b> openssl-users [mailto:<a href="mailto:openssl-users-bounces@openssl.org" target="_blank">openssl-users-bounces@<wbr>openssl.org</a>] <b>On Behalf Of </b>Michael Wojcik<br><b>Sent:</b> Monday, March 13, 2017 8:58 AM</p><div><div class="h5"><br><b>To:</b> <a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a><br><b>Subject:</b> Re: [openssl-users] Cannot read exported PKCS12 cert and private key<u></u><u></u></div></div><p></p></div></div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span style="color:#1f497d">I'll assume you mean you exported it "from a mainframe system" using RACF. RACF has half a dozen export formats for certificates and keys; they're not all supported by OpenSSL.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">In particular (and despite the PEM delimiters), I suspect what you have here is a PKCS#12 file in PEM format. The openssl pkcs12 utility doesn't support PEM encoding, because that's not normally done. RACF will do it, though, just to be difficult.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">openssl asn1parse -in <i>file</i> -inform pem shows you have valid ASN.1 data, with a big ol' blob at offset 26; adding -strparse 26 shows encrypted data. So yes, looks like PKCS#12.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">So, try this:<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">1. Edit the file and remove the PEM delimiters ("---- BEGIN CERTIFICATE ----" and "----- END CERTIFICATE ----").<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">2. Convert the data from Base64 to binary:<br> openssl base64 -d -in <i>file</i> -out <i>file.der</i><u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">3. Unpack it:<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"> openssl pkcs12 -in <i>file</i>.der -nokeys -out <i>file</i>-cert.pem<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"> openssl pkcs12 -in <i>file</i>.der -nocerts -out <i>file</i>-key.pem<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Note the final openssl command will prompt you for the password to encrypt the key file with; if you don't want your private key encrypted, you can also specify -nodes.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">You can use openssl pkcs12 just once, without the -nokeys / -nocerts options, but that will put your certificate and key in the same file, which is generally not what you want with OpenSSL.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Of course, you haven't told us what you're trying to do, so I'm just guessing.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Also, I can't verify this, because I don't have the import password for your PKCS#12 file.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New";color:black">Michael Wojcik</span><span style="font-size:9.0pt;color:#1f497d"> <br></span><span style="font-size:9.0pt;font-family:"Courier New";color:black">Distinguished Engineer, Micro Focus</span><span style="font-size:9.0pt;color:#1f497d"> </span><span style="color:#1f497d"><u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt"><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"> openssl-users [<a href="mailto:openssl-users-bounces@openssl.org" target="_blank">mailto:openssl-users-bounces@<wbr>openssl.org</a>] <b>On Behalf Of </b>Gary L Peskin<br><b>Sent:</b> Monday, March 13, 2017 08:39<br><b>To:</b> <a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a><br><b>Subject:</b> Re: [openssl-users] Cannot read exported PKCS12 cert and private key<u></u><u></u></span></p></div></div><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">My original message accidently included an attachment. Please ignore the attachment. That was not related to this issue.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Thanks,<u></u><u></u></p><p class="MsoNormal">Gary<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b>From:</b> Gary L Peskin [<a href="mailto:garyp@firstech.com" target="_blank">mailto:garyp@firstech.com</a>] <br><b>Sent:</b> Monday, March 13, 2017 2:28 AM<br><b>To:</b> '<a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a>' <<a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a>><br><b>Subject:</b> Cannot read exported PKCS12 cert and private key<u></u><u></u></p></div></div><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Hello all<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I exported a certificate and corresponding private key in base 64 encoded DER format from a mainframe system and FTP’d it to my Windows desktop.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I tried to read it using OpenSSL 1.0.2.k and 1.1.0d 32-bit and 64-bit on Windows with <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">openssl pkcs12 -in mycert.p12 -noout<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">But I get the following messages:<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">15956:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:<wbr>1199:<u></u><u></u></p><p class="MsoNormal">15956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:<wbr>nested asn1 error:.\crypto\asn1\tasn_dec.<wbr>c:374:Type=PKCS12<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I’m able to import this with the private key into the Windows certificate store with no issues.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Can someone please advise as to what I’m doing wrong?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Thanks,<u></u><u></u></p><p class="MsoNormal">Gary<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">PS Here is the file:<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">-----BEGIN CERTIFICATE-----<u></u><u></u></p><p class="MsoNormal">MIIKCAIBAzCCCcQGCSqGSIb3DQEHAa<wbr>CCCbUEggmxMIIJrTCCBE8GCSqGSIb3<wbr>DQEH<u></u><u></u></p><p class="MsoNormal">BqCCBEAwggQ8AgEAMIIENQYJKoZIhv<wbr>cNAQcBMBwGCiqGSIb3DQEMAQMwDgQI<wbr>jdBS<u></u><u></u></p><p class="MsoNormal">+TZF+<wbr>xQCAgP5gIIECNtJIUg23ab7AXi33MK<wbr>ueO03S1pUkHCQk+kByNK/6f1FgEvu<u></u><u></u></p><p class="MsoNormal">XRqhniR3mdyzeMVBCrCBSx3GhZlpLc<wbr>W/<wbr>d6OAd3z8hbXjvw5OC5OLavemfRNtsi<wbr>+R<u></u><u></u></p><p class="MsoNormal">q9LggkcWT2oCszc2nglKzHYaFnkG80<wbr>vwxLwUXmROL+<wbr>UK4ZlYmqp46EjuNAEo/yqQ<u></u><u></u></p><p class="MsoNormal">yEwgia3iP84wiZRfY9kBJMq9yUm+<wbr>LvowO/1E9v/<wbr>ycgE6IWe1CrThQzrD6Vm9LaTy<u></u><u></u></p><p class="MsoNormal">0oZqAbTbzbedZwGsuWZoedw2FtmRij<wbr>kH5EbRNRpTrUUO/<wbr>qQMO19v5IKtd4kUAWea<u></u><u></u></p><p class="MsoNormal">dpYrwn1kkD2aInKKsjycCFtGopXPbm<wbr>rqj2cm335cESN4XePBHQuzaywHgd0W<wbr>jU5O<u></u><u></u></p><p class="MsoNormal">++UM+B/5Kpx3af53E412pGAcgnPH/<wbr>ZQKMa5Zkp73pcFmViLEC7Tn9eNB2iN<wbr>UfX9p<u></u><u></u></p><p class="MsoNormal">rV3RNRnrEPZlD1MuYEkmBIWA5czUiD<wbr>KrpyYA1fmrSsFthFMhD5fTVoDMSTBm<wbr>NXPz<u></u><u></u></p><p class="MsoNormal">5B8HYW4+aDbo7N2a+<wbr>BtFNcbMqYJqYwVL7xE2rL6nUedMyN2<wbr>uKeZfOnLLQuYoUCg7<u></u><u></u></p><p class="MsoNormal">iYO5k7D/<wbr>jQNsviyZg022Nzwy4agdPBKqok8oan<wbr>Qge8/pr3NeMrNDDKVyWy8ZBVBv<u></u><u></u></p><p class="MsoNormal">KGi3qaX45ejJxP8XaJxxw88+<wbr>KOc1OvAMhWhAHlHqpw9d7OiAP1oCV+<wbr>vRuYnD5N9a<u></u><u></u></p><p class="MsoNormal">YyLspoKy1nk+<wbr>Htl71QQ4GYCRRGXMl7YsxtRrUSOAZa<wbr>2+V/5h6ljUsTsib3VhO0eL<u></u><u></u></p><p class="MsoNormal">/jf+<wbr>BlBxhpWw1J9L0r6sFMYvVS3AsqfqnB<wbr>LJUFLxeQxYvVsV0Gpx8BonpZACQC91<u></u><u></u></p><p class="MsoNormal">DB4oV0l6whqtAQ4dJMJEk9nNnP0NYs<wbr>VceKybF5NvgL3lzALw/<wbr>Ezv8K7Y69FJaM35<u></u><u></u></p><p class="MsoNormal">LrT9JlGSt/<wbr>BJ0oXp4wxqH4UbHikhGpSCteh7k3ZQ<wbr>kbE4fokVhH9lYkMXqBRXqXlI<u></u><u></u></p><p class="MsoNormal">nV9b7hR26NeJY0C7a9VyNXtzIVsP+<wbr>JiBhDzc7GDafIF99fUHPVfqh15CPnT<wbr>b5liZ<u></u><u></u></p><p class="MsoNormal">A6QlYw1aVvyhS8ST4I117kALKWUdl9<wbr>xhe+ui0IFCEQY/mNuQ8O13nlcx+<wbr>DvGtPxc<u></u><u></u></p><p class="MsoNormal">WCUG0VpP6AkE9Mkd67CghF6sFh/<wbr>8FqdE1jU2Asj+iCZVU/<wbr>s0ngH3hAXwMVUwOW9S<u></u><u></u></p><p class="MsoNormal">voxYParz1b0sF7vgrhLteHOZ03TEra<wbr>7rh7OiOVUCOE6CACG1qV8QXDvpkZp2<wbr>mGTx<u></u><u></u></p><p class="MsoNormal">5T7ob8nNF8XQWhIHjULVdKdOBuMh/<wbr>4dOrHTuU5cFosR29mbzAZDDi0myuzT<wbr>v37GJ<u></u><u></u></p><p class="MsoNormal">OgyiX0XXvwn5jCmAoaE0ji1fgxrWUs<wbr>8yVYYHOj3IyQwzU+<wbr>FydfKtlnhh8ZxHKDBo<u></u><u></u></p><p class="MsoNormal">8wPqrEAzTXT49bsxvy3cYxUp4Dd1G2<wbr>ymkoTZonEi7Vir0kN7qjCCBVYGCSqG<wbr>SIb3<u></u><u></u></p><p class="MsoNormal">DQEHAaCCBUcEggVDMIIFPzCCBTsGCy<wbr>qGSIb3DQEMCgECoIIE7jCCBOowHAYK<wbr>KoZI<u></u><u></u></p><p class="MsoNormal">hvcNAQwBAzAOBAh2oqSgVyE4cwICA/<wbr>EEggTInCkEbWknH/<wbr>Vojqzmn1jIPRGb7dG+<u></u><u></u></p><p class="MsoNormal">egxS5YDtk14LxnQuwACTQef2wQnKlo<wbr>sYbfH8dJVIvXRYB19MXroGpd5KJA8D<wbr>ftqa<u></u><u></u></p><p class="MsoNormal">dWFVAcDIrzV/<wbr>ZS252aita0fKOVeqjKWo7TkA9jnwDe<wbr>ekAcK+1R5ioIcfXPLJDSUX<u></u><u></u></p><p class="MsoNormal">gdEaza88oQ+g+34+B2o+mnTPT/PM/<wbr>o1n6cifVRURn2jMASwiB/<wbr>cwLn58UZibCSgL<u></u><u></u></p><p class="MsoNormal">h3CrcKamWi8AF3eJ2rkpPuK41s8Sfq<wbr>Z1ByNEFSgnsX5UQzJpn8FoBPBOmFnR<wbr>8FTr<u></u><u></u></p><p class="MsoNormal">XNwtT7GcJJuWDSnf+<wbr>On2PI2LYT6XAhNeCkfMwdnUa6N1YV2<wbr>Okelmae4J21sldQlw<u></u><u></u></p><p class="MsoNormal">ATZFiuigyPMFF1X3wUfdvZTwQGC17Y<wbr>FTN+OIYF9/<wbr>62XTiZUEJ6y0I3nRvAxpaRHS<u></u><u></u></p><p class="MsoNormal">VVyh2KA89e5Llxv+<wbr>bArgA6brykRHFk5I7e7krrflPoQJ0o<wbr>1oKhb8DshnxAk65v/H<u></u><u></u></p><p class="MsoNormal">xTPLq9gac81AY8rWnrTCZcO+inCan/<wbr>IlOKDXnVCUfZATtAOOIQ6Mf9KwuAey<wbr>E9xu<u></u><u></u></p><p class="MsoNormal">4dUO0vF5juFU6hK8SR//apf0JF+<wbr>zejq5wnEhc1o/sWVpKQkakYayJ+<wbr>4Hnlx+G6Ra<u></u><u></u></p><p class="MsoNormal">bJ3ZYQv4U/<wbr>kUx0Q43qvvwhx0qdZ79BUpqPTxLeBz<wbr>wVG6q5ys8eZY988YcIg11NY9<u></u><u></u></p><p class="MsoNormal">+<wbr>qC4cFGBsbMuWSispichDN5wEJ9C9Ur<wbr>dKRGsAztz0j1GTiJcXPnBH+<wbr>vTeULh7Spx<u></u><u></u></p><p class="MsoNormal">GmLbJWyj3tg+<wbr>QaefDPo4aaIpZCZV0BFSy41fgoBB+<wbr>rZ45wNgRiDuDuHue2WY28PC<u></u><u></u></p><p class="MsoNormal">dGrAuXzQTUeEUYqN2zL2DhiYD/6/Y+<wbr>/BCUS/kO0w3x0J7ityoSlyVJ+<wbr>cf84FYmtB<u></u><u></u></p><p class="MsoNormal">zmPIqgjDZS/<wbr>NGC0OWgUBWxzspADETmwpZDCz8MJHK<wbr>99nbAcYz3AybW6307NCJTKp<u></u><u></u></p><p class="MsoNormal">gPfH6RyTrDzoijIweHUeU2pANpDjbp<wbr>53UKV5/<wbr>WyEvbjvy9maf1Jze60zS7EFgZ/n<u></u><u></u></p><p class="MsoNormal">ZEe+<wbr>eQbSY5SGtTWCB3mMbOTFvDH0QKGbfj<wbr>6EX2Z+P+RZEeU/xzMOejcBbOO7XpgV<u></u><u></u></p><p class="MsoNormal">+Uryt+NgcocTtg/5YjVkAdMeVz9A/<wbr>XdGydAy7hE2FwFI1hJTl/<wbr>aI4ZaAKV34xH2r<u></u><u></u></p><p class="MsoNormal">J4/<wbr>VstlG8ongv9zMNaS4Xl1n3wk6W3oAU<wbr>mqWdoYYyDsocIBl1he1oP588Capa7O<wbr>L<u></u><u></u></p><p class="MsoNormal">NLYDl3llQXbyah1A//<wbr>xJsH5M8KiB0MlJ0qSSp0U7LXmxDP3d<wbr>w3kcR9XgOX835Bpi<u></u><u></u></p><p class="MsoNormal">NlOPQDfzYZyKN6sIGDcuxwQPdOg2EQ<wbr>ZxI3W5xp+oHTM/yTuqo/<wbr>5vpOIlMdwqfQ/R<u></u><u></u></p><p class="MsoNormal">HGLVyyQ0yO3oIMxiE56jSnrhjj/H/<wbr>bJJAMMUBXI6pi18JCv24cTjVsXGjsf<wbr>4jH7g<u></u><u></u></p><p class="MsoNormal">9uGmoecX/Sx77Sx+<wbr>814aO0Qkm0WzadLagKoz1nOV1hmeSa<wbr>n1nFnXkE94VqIJ9YTV<u></u><u></u></p><p class="MsoNormal">qnLrY0JYjpI2ywkW4wCscjVMIxkAfh<wbr>ifc31v4LWUnTMO0Y+<wbr>xqO89v1hKbSYkZYYs<u></u><u></u></p><p class="MsoNormal">psrxnomXJq/RqjfZBhF3f+<wbr>0aTNxpvlJnGOjnlT0qX1yHBOr+<wbr>bmkcTIhL7pKA+qK1<u></u><u></u></p><p class="MsoNormal">fZD8834wTLrRcFiPD7pX6/<wbr>zglMEG4PUf1RoDC0+<wbr>3Ud8qa2SqfyYZeFm8+9yFsFnZ<u></u><u></u></p><p class="MsoNormal">RYFkMTowIwYJKoZIhvcNAQkUMRYeFA<wbr>BDAEEAQwBUAEUAUwBUACAAQwBBMBMG<wbr>CSqG<u></u><u></u></p><p class="MsoNormal">SIb3DQEJFTEGBAQAAAABMDswHzAHBg<wbr>UrDgMCGgQUoiKIky5oqgCxt5DnJxWN<wbr>QvZ1<u></u><u></u></p><p class="MsoNormal">WecEFDabnXfA8sLdfwIXx9AexvOOS0<wbr>gpAgID+w==<u></u><u></u></p><p class="MsoNormal">-----END CERTIFICATE-----<u></u><u></u></p></div></div></div></div></div><br>--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
<br></blockquote></div><br></div>