[openssl-users] Cannot read exported PKCS12 cert and private key

Viktor Dukhovni openssl-users at dukhovni.org
Sat Apr 29 04:03:45 UTC 2017

On Mon, Mar 13, 2017 at 02:27:39AM -0700, Gary L Peskin wrote:

> I exported a certificate and corresponding private key in base 64 encoded
> DER format

For the record, there is no such thing as base64-encoded DER format.
DER a binary encoding of ASN.1.  A format would be particular ASN.1
structure, which can be encoded as DER, or in many cases as PEM.

OpenSSL has no PEM encoding for PKCS#12 objects.  These are supported
only in DER-encoded form.

> I tried to read it using OpenSSL 1.0.2k

You gave it a PEM header that would be appropriate for a single
X.509 certificate, but the enclosed object is PKCS#12, not X.509.

> 15956:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:.\crypto\asn1\tasn_dec.c:1199:

This is expected.  I'm attaching the corresponding binary PKCS#12
file.  You should be able to decode that with the appropriate

-------------- next part --------------
A non-text attachment was scrubbed...
Name: CACTEST_CA.p12
Type: application/octet-stream
Size: 2572 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170429/6fe6ad13/attachment.obj>

More information about the openssl-users mailing list