How to include intermediate in pkcs12?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

How to include intermediate in pkcs12?

Edward Ned Harvey (openssl)

A bunch of things on the internet say to do "-cafile intermediate.pem -cafile root.pem" or "-certfile intermediate.pem -certfile root.pem" and they explicitly say that calling these command-line options more than once is ok and will result in both the certs being included in the final pkcs12...  But I have found this to be untrue.

 

I have found, that if I concatenate intermediate & root into a single glom file, and then I specify -certfile once for the glom, then my pfx file will include the complete chain.  But if I use -certfile twice, I get no intermediate in my pfx.  And I just wasted more time than I care to describe, figuring this out.

 

So...  While concatenation/glom is a viable workaround, I'd like to know, what's supposed to work?  And was it a new feature introduced after a certain rev or something?   I have OpenSSL 0.9.8y command-line on Mac OSX, and OpenSSL 1.0.1e command-line on cygwin.  I believe I've seen the same behavior in both.

Reply | Threaded
Open this post in threaded view
|

RE: How to include intermediate in pkcs12?

Dave Thompson-5

A lot of things on the Internet are wrong. The OpenSSL man page does not say multiple

occurrences work and I’m pretty sure it never did, nor did the code. In general

OpenSSL commandlines don’t handle repeated options; the few exceptions are noted.

pkcs12 -caname (NOT –cafile) IS one of the few that can be repeated, and possibly

some things on the Internet got that confused. However, the commandlines (at least

usually?) don’t *diagnose* repeated (and overridden) options.

 

pkcs12 –export gets certs from up to three places:

- the input file (-in if specified else stdin redirected or piped)

- -certfile if specified (once, as you saw)

- the truststore if –CAfile and/or –CApath specified IF NEEDED

 

In other words, any cert in infile or certfile is always in the output, needed or not.

If that set does not provide a complete chain, pkcs12 will try to complete it using

the truststore if specified, but will produce output even if it remains incomplete.

Like other commandlines, and many programs using the library, the truststore

can be a single file with –CAfile (NOT –cafile) or a directory of hashnamed

links or files with –CApath or both.

 

If the cert you are putting in pkcs12 is under a CA that you trust other peers to use

and thus you have in your truststore, easiest to use it from there. Similarly if your cert

is under an intermediate (or several) that you have in your truststore to allow peers

to use even if the peers don’t send (as they should), easiest to use from there.

Otherwise IMO it’s easiest to just put in infile or –certfile (or a combination),

although the option of temporarily creating or modifying a truststore works.

 

Whether to do your trustore with CAfile or CApath or both is a more general question

and depends partly on whether you use somebody’s package.

For example the curl website supplies the Mozilla truststore in CAfile format;

when I want to use that I don’t bother converting to CApath format.

 

 

From: [hidden email] [[hidden email]] On Behalf Of Edward Ned Harvey (openssl)
Sent: Tuesday, April 22, 2014 15:31
To: [hidden email]
Subject: *** Spam *** How to include intermediate in pkcs12?

 

A bunch of things on the internet say to do "-cafile intermediate.pem -cafile root.pem" or "-certfile intermediate.pem -certfile root.pem" and they explicitly say that calling these command-line options more than once is ok and will result in both the certs being included in the final pkcs12...  But I have found this to be untrue.

 

I have found, that if I concatenate intermediate & root into a single glom file, and then I specify -certfile once for the glom, then my pfx file will include the complete chain.  But if I use -certfile twice, I get no intermediate in my pfx.  And I just wasted more time than I care to describe, figuring this out.

 

So...  While concatenation/glom is a viable workaround, I'd like to know, what's supposed to work?  And was it a new feature introduced after a certain rev or something?   I have OpenSSL 0.9.8y command-line on Mac OSX, and OpenSSL 1.0.1e command-line on cygwin.  I believe I've seen the same behavior in both.

Reply | Threaded
Open this post in threaded view
|

RE: How to include intermediate in pkcs12?

Edward Ned Harvey (openssl)
> From: [hidden email] [mailto:owner-openssl-
> [hidden email]] On Behalf Of Dave Thompson
>
> - the truststore if -CAfile and/or -CApath specified IF NEEDED

Thank you very much for your awesome detailed answer.  This answers a lot of questions, but I am left with a new one:

I use openssl on a lot of different platforms, and it always seems to be built differently...  OSX native, OSX homebrew, various linuxes, openindiana, cygwin, nuGet in Visual Studio, etc.  I don't know if these builds universally include any set of root CA's, and sometimes I can find a directory to answer my question, sometimes not.

Is there some way I can make openssl tell me the list of roots it has?  Or tell me the directory (directories) that it searches?

It seems, to answer my original question, *if* I can trust that openssl on the platform that I'm using actually as a complete-ish set of root CA's, then the best and easiest way to build the pfx will be:
        openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in mycert.crt -certfile intermediate.crt
        (Correct?)

And if the above doesn't automatically include the root CA for my chain (or if I just like doing it explicitly), then I can do this:
        openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in mycert.crt -certfile intermediate.crt -CAfile ca.crt
        (Correct?)

Alternatively, I could
        cat mycert.crt intermediate.crt ca.crt > mychain.crt
        openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in mychain.crt
        (Correct?)

Thanks...
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to include intermediate in pkcs12?

Tom Francis-2

On Apr 24, 2014, at 8:21 AM, Edward Ned Harvey (openssl) <[hidden email]> wrote:

>> From: [hidden email] [mailto:owner-openssl-
>> [hidden email]] On Behalf Of Dave Thompson
>>
>> - the truststore if -CAfile and/or -CApath specified IF NEEDED
>
> Thank you very much for your awesome detailed answer.  This answers a lot of questions, but I am left with a new one:
>
> I use openssl on a lot of different platforms, and it always seems to be built differently...  OSX native, OSX homebrew, various linuxes, openindiana, cygwin, nuGet in Visual Studio, etc.  I don't know if these builds universally include any set of root CA's, and sometimes I can find a directory to answer my question, sometimes not.

OpenSSL itself does not include any certificates at all.  The root certificates installed on a system are unrelated to the version of OpenSSL or how OpenSSL was compiled.

> Is there some way I can make openssl tell me the list of roots it has?  Or tell me the directory (directories) that it searches?

For the second question, no; there’s no location that OpenSSL (either the library or the command line app) will search automatically — you have to specify that on your own, with -CApath (or -CAfile).  For the first question, there are a few different possibilities, but remember that you have to tell OpenSSL where to look, and what to look for. :)  You could, e.g., use ‘openssl x509 -noout -text -in <file>’ for a bunch of different certificate files in DER or PEM format (it’ll even work if there are multiple certificates in <file>).

> It seems, to answer my original question, *if* I can trust that openssl on the platform that I'm using actually as a complete-ish set of root CA's, then the best and easiest way to build the pfx will be:
> openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in mycert.crt -certfile intermediate.crt
> (Correct?)

If the OS has a complete-ish set of root certificates installed somewhere, you can use a command line like that, but you probably want to use -CApath to specify the directory where the root certificates are installed.

> And if the above doesn't automatically include the root CA for my chain (or if I just like doing it explicitly), then I can do this:
> openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in mycert.crt -certfile intermediate.crt -CAfile ca.crt
> (Correct?)

That’s likely to be more reliable everywhere. :)

> Alternatively, I could
> cat mycert.crt intermediate.crt ca.crt > mychain.crt
> openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in mychain.crt
> (Correct?)

This would also work, but unless you’ve got another reason to stick all of the certificates in the chain into a single file first, it’s likely to be more trouble than it’s worth.  I usually put my root and any intermediates into a single file and use -CAfile to specify the intermediate(s) (if any) and root when I’m generating certificates and packaging them in PKCS#12 for distribution (e.g. to send to a Windows user).  But I think the question of what’s “best” is dependent on what you’re doing, and how you like to do things. :)

TOM


> Thanks...
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to include intermediate in pkcs12?

Edward Ned Harvey (openssl)
> From: [hidden email] [mailto:owner-openssl-
> [hidden email]] On Behalf Of Tom Francis
>
> > openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in
> mycert.crt -certfile intermediate.crt -CAfile ca.crt
> > (Correct?)

So ...  I just tried this, and confirmed, that it doesn't work...  The root CA cert is not included in the pfx.


> > Alternatively, I could
> > cat mycert.crt intermediate.crt ca.crt > mychain.crt
> > openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in
> mychain.crt

It seems the easiest thing to do is...

cat intermediate.crt ca.crt > chain.crt
openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in mycert.crt -certfile chain.crt

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to include intermediate in pkcs12?

Dave Thompson-5
In reply to this post by Edward Ned Harvey (openssl)
> From: [hidden email] On Behalf Of Edward Ned Harvey
(openssl)
> Sent: Thursday, April 24, 2014 16:15

> > > openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in
> > mycert.crt -certfile intermediate.crt -CAfile ca.crt
> > > (Correct?)
>
> So ...  I just tried this, and confirmed, that it doesn't work...  The
root CA cert is
> not included in the pfx.
>
Works for me.

Are you sure you used the correct root? Note that you can put a mismatching
root
in the pkcs12 using the other ways (infile or -certfile) and the pkcs12 will
still work
correctly often -- at least IE+Chrome, Firefox, and Java using JKS.

> > > Alternatively, I could
> > > cat mycert.crt intermediate.crt ca.crt > mychain.crt
> > > openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in
> > mychain.crt
>
> It seems the easiest thing to do is...
>
> cat intermediate.crt ca.crt > chain.crt
> openssl pkcs12 -export -out mypkcs12.pfx -inkey my.private.key -in
mycert.crt -
> certfile chain.crt
>
Both of those will always put the (putative) root.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]