[openssl-users] Cannot read exported PKCS12 cert and private key
Dr. Stephen Henson
steve at openssl.org
Tue Mar 14 13:00:29 UTC 2017
On Mon, Mar 13, 2017, Michael Wojcik wrote:
> I'll assume you mean you exported it "from a mainframe system" using RACF. RACF has half a dozen export formats for certificates and keys; they're not all supported by OpenSSL.
> In particular (and despite the PEM delimiters), I suspect what you have here is a PKCS#12 file in PEM format. The openssl pkcs12 utility doesn't support PEM encoding, because that's not normally done. RACF will do it, though, just to be difficult.
> openssl asn1parse -in file -inform pem shows you have valid ASN.1 data, with a big ol' blob at offset 26; adding -strparse 26 shows encrypted data. So yes, looks like PKCS#12.
> So, try this:
> 1. Edit the file and remove the PEM delimiters ("---- BEGIN CERTIFICATE ----" and "----- END CERTIFICATE ----").
> 2. Convert the data from Base64 to binary:
> openssl base64 -d -in file -out file.der
Note this can be simplified a bit with:
openssl asn1parse -in file.pem -out file.der
That should work for any PEM ASN.1 structure.
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users