[openssl-users] Cannot read exported PKCS12 cert and private key

Dr. Stephen Henson steve at openssl.org
Tue Mar 14 13:00:29 UTC 2017

On Mon, Mar 13, 2017, Michael Wojcik wrote:

> I'll assume you mean you exported it "from a mainframe system" using RACF. RACF has half a dozen export formats for certificates and keys; they're not all supported by OpenSSL.
> In particular (and despite the PEM delimiters), I suspect what you have here is a PKCS#12 file in PEM format. The openssl pkcs12 utility doesn't support PEM encoding, because that's not normally done. RACF will do it, though, just to be difficult.
> openssl asn1parse -in file -inform pem shows you have valid ASN.1 data, with a big ol' blob at offset 26; adding -strparse 26 shows encrypted data. So yes, looks like PKCS#12.
> So, try this:
> 1. Edit the file and remove the PEM delimiters ("---- BEGIN CERTIFICATE ----" and "----- END CERTIFICATE ----").
> 2. Convert the data from Base64 to binary:
>                 openssl base64 -d -in file -out file.der

Note this can be simplified a bit with:

openssl asn1parse -in file.pem -out file.der

That should work for any PEM ASN.1 structure.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list