<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Emoji";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Symbol";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma",sans-serif;}
span.codeChar
{mso-style-name:"code Char";
mso-style-link:code;
font-family:Consolas;
color:black;}
p.code, li.code, div.code
{mso-style-name:code;
mso-style-link:"code Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:Consolas;
color:black;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle29
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Thanks again. Very clear. I’m thinking maybe of a small utility or even a web site were you could upload the thing and it would tell you what it was looking it. I’ll add that to my never-ending to do list on the off chance that I’ll ever have spare time.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Gary<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> openssl-users [mailto:openssl-users-bounces@openssl.org] <b>On Behalf Of </b>Michael Wojcik<br><b>Sent:</b> Monday, March 13, 2017 11:05 AM<br><b>To:</b> openssl-users@openssl.org<br><b>Subject:</b> Re: [openssl-users] Cannot read exported PKCS12 cert and private key<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'>Glad I could help. To be honest, I had to play around with it for a bit before I remembered that RACF can export PEM-encoded PKCS#12, and how I had handled that the last time I went through this myself.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Also, having experience with figuring out what a file is using openssl asn1parse definitely helps. The last time I taught a class on key and certificate handling, we did an entire exercise on this, because we're always getting this sort of thing from customers. "Here's a zip with our key and certificate files", they say, and then there are files in it with names like "file0" and "key1", and it turns out "key1" is actually a certificate. Learning how to match private keys to certificates is also very useful; I actually ended up giving one customer a script to do that, because they'd been copying things from machine to machine and had really confused the situation.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Someone needs to write a book like <i>Surviving Cryptography with OpenSSL</i> that covers these things, along the lines of Ivan Ristić's <i>OpenSSL Cookbook</i>. (I'd volunteer but to be honest it'd never get done.) I guess this sort of thing should go on the wiki; maybe some of it's there already.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Anyway, back on the subject: I suppose technically this is not really PEM encoding, because the PEM delimiters lie. "----- BEGIN CERTIFICATE -----" claims that what follows is a Base64-encoded DER-encoded X.509 certificate, not a Base64-encoded DER-encoded PKCS#12 structure. Those are rather different things. I suspect RACF supports this because 1) it was easy and 2) it's convenient to have a text representation (that converts cleanly between EBCDIC and ASCII). But it's not technically correct.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>That's probably why OpenSSL doesn't support it; fake-PEM-PKCS#12 is a RACF idiosyncracy, as far as I know. I'm guessing Windows just takes whatever's between the PEM delimiters, decodes the Base64, parses it as ASN.1 DER, and then decides what to do.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>You could argue, by Postel's Interoperability Principle, that openssl should have a "-figure-out-the-format" option for every command that takes files. On the other hand, the Interoperability Principle is a security risk; many vulnerabilities are eliminated simply by requiring inputs that satisfy the specification.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>With a decent scripting language it's pretty easy to recognize one of these files and automatically extract it into something sensible.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Courier New";color:black'>Michael Wojcik</span><span style='font-size:9.0pt;color:#1F497D'> <br></span><span style='font-size:9.0pt;font-family:"Courier New";color:black'>Distinguished Engineer, Micro Focus</span><span style='font-size:9.0pt;color:#1F497D'> </span><span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'> openssl-users [<a href="mailto:openssl-users-bounces@openssl.org">mailto:openssl-users-bounces@openssl.org</a>] <b>On Behalf Of </b>Gary L Peskin<br><b>Sent:</b> Monday, March 13, 2017 10:26<br><b>To:</b> <a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br><b>Subject:</b> Re: [openssl-users] Cannot read exported PKCS12 cert and private key<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks VERY much Michael. That did the trick. This was a homegrown CA cert and I needed it to sign a certificate request for testing purposes.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I didn’t realize that the openssl pkcs12 utility didn’t support PEM encoding for input. I was a little confused I guess by the documentation which shows PEM encoding for “-in filename” but I see now that that’s for when exporting a PKCS#12 file, not for parsing one.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks again for clearing this up. It’s weird that MS supports this input format but openssl does not. I thought openssl could do EVERYTHING. <span style='font-family:"Segoe UI Emoji",sans-serif'>😊</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><p class=MsoNormal><o:p> </o:p></p></div></div></div></body></html>