[Newbie] Conversion PEM --> DER (pkcs7) fails with demo certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Newbie] Conversion PEM --> DER (pkcs7) fails with demo certificate

Rainer Menzner
Dear OpenSLL users,

first of all, let me point out that I'm a total newbie in the
area of encryption. So maybe, my question could sound stupid ...

I'm using OpenSSL V. 0.9.8a in order to experiment with pfx-files
and binary certificate files on Win32.

I did:

1) Create a personal information interchange file:

        openssl.exe pkcs12 -export -in pca-cert.pem -out test1.pfx -name "Test Certificate of RMz" -passout pass:12345678

    The resulting pfx file could be read by the Win32 mmc, so it
    seems to be correct.

2) Create a binary encoded DER file as a public certificate:

        openssl.exe pkcs7 -inform PEM -outform DER -in pca-cert.pem -out test1.cer -text

This call results in the following error messages:

$ openssl.exe pkcs7 -inform PEM -outform DER -in pca-cert.pem -out test1.cer -t
ext
unable to load PKCS7 object
1752:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:
1282:
1752:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 err
or:tasn_dec.c:824:
1752:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 e
rror:tasn_dec.c:743:Field=type, Type=PKCS7
1752:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

If I call "openssl asn1parse -inform PEM -in pca-cert.pem" in order to
check the input file (I have found that recommendation in some other
thread), the output looks reasonable and no error message is produced.

Did I do something wrong here? And, finally, is there a way of
creating test certificates (pair of asymmetric keys with configurable
length plus descriptive data like user name, CA name, expiration date)
using the opensll tool?


Thanks in advance for your comments and best regards,

-Rainer

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [Newbie] Conversion PEM --> DER (pkcs7) fails with demo certificate

Olaf Gellert
Rainer Menzner wrote:

> 2) Create a binary encoded DER file as a public certificate:
>
>     openssl.exe pkcs7 -inform PEM -outform DER -in pca-cert.pem -out
> test1.cer -text

Well, what do you need? If you just want a DER file
for a single certificate, just use:

openssl x509 -in pca-cert.pem -outform DER -out pca-cert.cer

Pkcs7 is more a utility to view PKCS7 files (which
can contain more than one certificate). To build
pkcs7-files you have to use the openssl utility
crl2pkcs7. This one is a little bit funny: use it
like this (untested):

openssl crl2pkcs7 -certfile file1.pem -certfile file2.pem -out certs.pkcs7 -nocrl

Crazy thing to use "crl2pkcs7" with argument -nocrl ... :-)

Olaf

--
Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Senior Researcher,                       Consulting GmbH
Phone: (+49) 0700 / PRESECURE           [hidden email]

                        A daily view on Internet Attacks
                        https://www.ecsirt.net/sensornet

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [Newbie] Conversion PEM --> DER (pkcs7) fails with demo certificate

Rainer Menzner
Olaf Gellert wrote:

> Rainer Menzner wrote:
>
>
>>2) Create a binary encoded DER file as a public certificate:
>>
>>    openssl.exe pkcs7 -inform PEM -outform DER -in pca-cert.pem -out
>>test1.cer -text
>
>
> Well, what do you need? If you just want a DER file
> for a single certificate, just use:
>
> openssl x509 -in pca-cert.pem -outform DER -out pca-cert.cer
>

yes, that's exactly what I was looking for.

Thanks for your response and best regards,
-Rainer

> Pkcs7 is more a utility to view PKCS7 files (which
> can contain more than one certificate). To build
> pkcs7-files you have to use the openssl utility
> crl2pkcs7. This one is a little bit funny: use it
> like this (untested):
>
> openssl crl2pkcs7 -certfile file1.pem -certfile file2.pem -out certs.pkcs7 -nocrl
>
> Crazy thing to use "crl2pkcs7" with argument -nocrl ... :-)
>
> Olaf
>



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]