[openssl-users] Cannot read exported PKCS12 cert and private key

Mon Mar 13 16:56:21 UTC 2017

Enhancement request:

make 'pkcs12' support -inform and -outform.

On Mon, Mar 13, 2017 at 9:26 AM, Gary L Peskin <garyp at firstech.com> wrote:

> Thanks VERY much Michael.  That did the trick.  This was a homegrown CA
> cert and I needed it to sign a certificate request for testing purposes.
>
>
>
> I didn’t realize that the openssl pkcs12 utility didn’t support PEM
> encoding for input.  I was a little confused I guess by the documentation
> which shows PEM encoding for “-in filename” but I see now that that’s for
> when exporting a PKCS#12 file, not for parsing one.
>
>
>
> Thanks again for clearing this up.  It’s weird that MS supports this input
> format but openssl does not. I thought openssl could do EVERYTHING.  😊
>
>
>
> Thanks,
>
> Gary
>
>
>
> *From:* openssl-users [mailto:openssl-users-bounces at openssl.org] *On
> Behalf Of *Michael Wojcik
> *Sent:* Monday, March 13, 2017 8:58 AM
>
> *To:* openssl-users at openssl.org
> *Subject:* Re: [openssl-users] Cannot read exported PKCS12 cert and
> private key
>
>
>
> I'll assume you mean you exported it "from a mainframe system" using RACF.
> RACF has half a dozen export formats for certificates and keys; they're not
> all supported by OpenSSL.
>
>
>
> In particular (and despite the PEM delimiters), I suspect what you have
> here is a PKCS#12 file in PEM format. The openssl pkcs12 utility doesn't
> support PEM encoding, because that's not normally done. RACF will do it,
> though, just to be difficult.
>
>
>
> openssl asn1parse -in *file* -inform pem shows you have valid ASN.1 data,
> with a big ol' blob at offset 26; adding -strparse 26 shows encrypted data.
> So yes, looks like PKCS#12.
>
>
>
> So, try this:
>
> 1. Edit the file and remove the PEM delimiters ("---- BEGIN CERTIFICATE
> ----" and "----- END CERTIFICATE ----").
>
> 2. Convert the data from Base64 to binary:
>                 openssl base64 -d -in *file* -out *file.der*
>
> 3. Unpack it:
>
>                 openssl pkcs12 -in *file*.der -nokeys -out *file*-cert.pem
>
>                 openssl pkcs12 -in *file*.der -nocerts -out *file*-key.pem
>
>
>
> Note the final openssl command will prompt you for the password to encrypt
> the key file with; if you don't want your private key encrypted, you can
> also specify -nodes.
>
>
>
> You can use openssl pkcs12 just once, without the -nokeys / -nocerts
> options, but that will put your certificate and key in the same file, which
> is generally not what you want with OpenSSL.
>
>
>
> Of course, you haven't told us what you're trying to do, so I'm just
> guessing.
>
>
>
> Also, I can't verify this, because I don't have the import password for
> your PKCS#12 file.
>
>
>
>
>
> Michael Wojcik
> Distinguished Engineer, Micro Focus
>
>
>
>
>
>
>
> *From:* openssl-users [mailto:openssl-users-bounces at openssl.org
> <openssl-users-bounces at openssl.org>] *On Behalf Of *Gary L Peskin
> *Sent:* Monday, March 13, 2017 08:39
> *To:* openssl-users at openssl.org
> *Subject:* Re: [openssl-users] Cannot read exported PKCS12 cert and
> private key
>
>
>
> My original message accidently included an attachment.  Please ignore the
> attachment.  That was not related to this issue.
>
>
>
> Thanks,
>
> Gary
>
>
>
> *From:* Gary L Peskin [mailto:garyp at firstech.com <garyp at firstech.com>]
> *Sent:* Monday, March 13, 2017 2:28 AM
> *To:* 'openssl-users at openssl.org' <openssl-users at openssl.org>
> *Subject:* Cannot read exported PKCS12 cert and private key
>
>
>
> Hello all
>
>
>
> I exported a certificate and corresponding private key in base 64 encoded
> DER format from a mainframe system and FTP’d it to my Windows desktop.
>
>
>
> I tried to read it using OpenSSL 1.0.2.k and 1.1.0d 32-bit and 64-bit on
> Windows with
>
>
>
> openssl pkcs12  -in mycert.p12  -noout
>
>
>
> But I get the following messages:
>
>
>
> 15956:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:.\crypto\asn1\tasn_dec.c:1199:
>
> 15956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:.\crypto\asn1\tasn_dec.c:374:Type=PKCS12
>
>
>
> I’m able to import this with the private key into the Windows certificate
> store with no issues.
>
>
>
> Can someone please advise as to what I’m doing wrong?
>
>
>
> Thanks,
>
> Gary
>
>
>
> PS Here is the file:
>
>
>
> -----BEGIN CERTIFICATE-----
>
> MIIKCAIBAzCCCcQGCSqGSIb3DQEHAaCCCbUEggmxMIIJrTCCBE8GCSqGSIb3DQEH
>
> BqCCBEAwggQ8AgEAMIIENQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIjdBS
>
> +TZF+xQCAgP5gIIECNtJIUg23ab7AXi33MKueO03S1pUkHCQk+kByNK/6f1FgEvu
>
> XRqhniR3mdyzeMVBCrCBSx3GhZlpLcW/d6OAd3z8hbXjvw5OC5OLavemfRNtsi+R
>
> q9LggkcWT2oCszc2nglKzHYaFnkG80vwxLwUXmROL+UK4ZlYmqp46EjuNAEo/yqQ
>
> yEwgia3iP84wiZRfY9kBJMq9yUm+LvowO/1E9v/ycgE6IWe1CrThQzrD6Vm9LaTy
>
> 0oZqAbTbzbedZwGsuWZoedw2FtmRijkH5EbRNRpTrUUO/qQMO19v5IKtd4kUAWea
>
> dpYrwn1kkD2aInKKsjycCFtGopXPbmrqj2cm335cESN4XePBHQuzaywHgd0WjU5O
>
> ++UM+B/5Kpx3af53E412pGAcgnPH/ZQKMa5Zkp73pcFmViLEC7Tn9eNB2iNUfX9p
>
> rV3RNRnrEPZlD1MuYEkmBIWA5czUiDKrpyYA1fmrSsFthFMhD5fTVoDMSTBmNXPz
>
> 5B8HYW4+aDbo7N2a+BtFNcbMqYJqYwVL7xE2rL6nUedMyN2uKeZfOnLLQuYoUCg7
>
> iYO5k7D/jQNsviyZg022Nzwy4agdPBKqok8oanQge8/pr3NeMrNDDKVyWy8ZBVBv
>
> KGi3qaX45ejJxP8XaJxxw88+KOc1OvAMhWhAHlHqpw9d7OiAP1oCV+vRuYnD5N9a
>
> YyLspoKy1nk+Htl71QQ4GYCRRGXMl7YsxtRrUSOAZa2+V/5h6ljUsTsib3VhO0eL
>
> /jf+BlBxhpWw1J9L0r6sFMYvVS3AsqfqnBLJUFLxeQxYvVsV0Gpx8BonpZACQC91
>
> DB4oV0l6whqtAQ4dJMJEk9nNnP0NYsVceKybF5NvgL3lzALw/Ezv8K7Y69FJaM35
>
> LrT9JlGSt/BJ0oXp4wxqH4UbHikhGpSCteh7k3ZQkbE4fokVhH9lYkMXqBRXqXlI
>
> nV9b7hR26NeJY0C7a9VyNXtzIVsP+JiBhDzc7GDafIF99fUHPVfqh15CPnTb5liZ
>
> A6QlYw1aVvyhS8ST4I117kALKWUdl9xhe+ui0IFCEQY/mNuQ8O13nlcx+DvGtPxc
>
> WCUG0VpP6AkE9Mkd67CghF6sFh/8FqdE1jU2Asj+iCZVU/s0ngH3hAXwMVUwOW9S
>
> voxYParz1b0sF7vgrhLteHOZ03TEra7rh7OiOVUCOE6CACG1qV8QXDvpkZp2mGTx
>
> 5T7ob8nNF8XQWhIHjULVdKdOBuMh/4dOrHTuU5cFosR29mbzAZDDi0myuzTv37GJ
>
> OgyiX0XXvwn5jCmAoaE0ji1fgxrWUs8yVYYHOj3IyQwzU+FydfKtlnhh8ZxHKDBo
>
> 8wPqrEAzTXT49bsxvy3cYxUp4Dd1G2ymkoTZonEi7Vir0kN7qjCCBVYGCSqGSIb3
>
> DQEHAaCCBUcEggVDMIIFPzCCBTsGCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZI
>
> hvcNAQwBAzAOBAh2oqSgVyE4cwICA/EEggTInCkEbWknH/Vojqzmn1jIPRGb7dG+
>
> egxS5YDtk14LxnQuwACTQef2wQnKlosYbfH8dJVIvXRYB19MXroGpd5KJA8Dftqa
>
> dWFVAcDIrzV/ZS252aita0fKOVeqjKWo7TkA9jnwDeekAcK+1R5ioIcfXPLJDSUX
>
> gdEaza88oQ+g+34+B2o+mnTPT/PM/o1n6cifVRURn2jMASwiB/cwLn58UZibCSgL
>
> h3CrcKamWi8AF3eJ2rkpPuK41s8SfqZ1ByNEFSgnsX5UQzJpn8FoBPBOmFnR8FTr
>
> XNwtT7GcJJuWDSnf+On2PI2LYT6XAhNeCkfMwdnUa6N1YV2Okelmae4J21sldQlw
>
> ATZFiuigyPMFF1X3wUfdvZTwQGC17YFTN+OIYF9/62XTiZUEJ6y0I3nRvAxpaRHS
>
> VVyh2KA89e5Llxv+bArgA6brykRHFk5I7e7krrflPoQJ0o1oKhb8DshnxAk65v/H
>
> xTPLq9gac81AY8rWnrTCZcO+inCan/IlOKDXnVCUfZATtAOOIQ6Mf9KwuAeyE9xu
>
> 4dUO0vF5juFU6hK8SR//apf0JF+zejq5wnEhc1o/sWVpKQkakYayJ+4Hnlx+G6Ra
>
> bJ3ZYQv4U/kUx0Q43qvvwhx0qdZ79BUpqPTxLeBzwVG6q5ys8eZY988YcIg11NY9
>
> +qC4cFGBsbMuWSispichDN5wEJ9C9UrdKRGsAztz0j1GTiJcXPnBH+vTeULh7Spx
>
> GmLbJWyj3tg+QaefDPo4aaIpZCZV0BFSy41fgoBB+rZ45wNgRiDuDuHue2WY28PC
>
> dGrAuXzQTUeEUYqN2zL2DhiYD/6/Y+/BCUS/kO0w3x0J7ityoSlyVJ+cf84FYmtB
>
> zmPIqgjDZS/NGC0OWgUBWxzspADETmwpZDCz8MJHK99nbAcYz3AybW6307NCJTKp
>
> gPfH6RyTrDzoijIweHUeU2pANpDjbp53UKV5/WyEvbjvy9maf1Jze60zS7EFgZ/n
>
> ZEe+eQbSY5SGtTWCB3mMbOTFvDH0QKGbfj6EX2Z+P+RZEeU/xzMOejcBbOO7XpgV
>
> +Uryt+NgcocTtg/5YjVkAdMeVz9A/XdGydAy7hE2FwFI1hJTl/aI4ZaAKV34xH2r
>
> J4/VstlG8ongv9zMNaS4Xl1n3wk6W3oAUmqWdoYYyDsocIBl1he1oP588Capa7OL
>
> NLYDl3llQXbyah1A//xJsH5M8KiB0MlJ0qSSp0U7LXmxDP3dw3kcR9XgOX835Bpi
>
> NlOPQDfzYZyKN6sIGDcuxwQPdOg2EQZxI3W5xp+oHTM/yTuqo/5vpOIlMdwqfQ/R
>
> HGLVyyQ0yO3oIMxiE56jSnrhjj/H/bJJAMMUBXI6pi18JCv24cTjVsXGjsf4jH7g
>
> 9uGmoecX/Sx77Sx+814aO0Qkm0WzadLagKoz1nOV1hmeSan1nFnXkE94VqIJ9YTV
>
> qnLrY0JYjpI2ywkW4wCscjVMIxkAfhifc31v4LWUnTMO0Y+xqO89v1hKbSYkZYYs
>
> psrxnomXJq/RqjfZBhF3f+0aTNxpvlJnGOjnlT0qX1yHBOr+bmkcTIhL7pKA+qK1
>
> fZD8834wTLrRcFiPD7pX6/zglMEG4PUf1RoDC0+3Ud8qa2SqfyYZeFm8+9yFsFnZ
>
> RYFkMTowIwYJKoZIhvcNAQkUMRYeFABDAEEAQwBUAEUAUwBUACAAQwBBMBMGCSqG
>
> SIb3DQEJFTEGBAQAAAABMDswHzAHBgUrDgMCGgQUoiKIky5oqgCxt5DnJxWNQvZ1
>
> WecEFDabnXfA8sLdfwIXx9AexvOOS0gpAgID+w==
>
> -----END CERTIFICATE-----
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170313/52743246/attachment.html>