Re: Cannot read exported PKCS12 cert and private key

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Cannot read exported PKCS12 cert and private key

Gary L Peskin

My original message accidently included an attachment.  Please ignore the attachment.  That was not related to this issue.

 

Thanks,

Gary

 

From: Gary L Peskin [mailto:[hidden email]]
Sent: Monday, March 13, 2017 2:28 AM
To: '[hidden email]' <[hidden email]>
Subject: Cannot read exported PKCS12 cert and private key

 

Hello all

 

I exported a certificate and corresponding private key in base 64 encoded DER format from a mainframe system and FTP’d it to my Windows desktop.

 

I tried to read it using OpenSSL 1.0.2.k and 1.1.0d 32-bit and 64-bit on Windows with

 

openssl pkcs12  -in mycert.p12  -noout

 

But I get the following messages:

 

15956:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1199:

15956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:374:Type=PKCS12

 

I’m able to import this with the private key into the Windows certificate store with no issues.

 

Can someone please advise as to what I’m doing wrong?

 

Thanks,

Gary

 

PS Here is the file:

 

-----BEGIN CERTIFICATE-----

MIIKCAIBAzCCCcQGCSqGSIb3DQEHAaCCCbUEggmxMIIJrTCCBE8GCSqGSIb3DQEH

BqCCBEAwggQ8AgEAMIIENQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIjdBS

+TZF+xQCAgP5gIIECNtJIUg23ab7AXi33MKueO03S1pUkHCQk+kByNK/6f1FgEvu

XRqhniR3mdyzeMVBCrCBSx3GhZlpLcW/d6OAd3z8hbXjvw5OC5OLavemfRNtsi+R

q9LggkcWT2oCszc2nglKzHYaFnkG80vwxLwUXmROL+UK4ZlYmqp46EjuNAEo/yqQ

yEwgia3iP84wiZRfY9kBJMq9yUm+LvowO/1E9v/ycgE6IWe1CrThQzrD6Vm9LaTy

0oZqAbTbzbedZwGsuWZoedw2FtmRijkH5EbRNRpTrUUO/qQMO19v5IKtd4kUAWea

dpYrwn1kkD2aInKKsjycCFtGopXPbmrqj2cm335cESN4XePBHQuzaywHgd0WjU5O

++UM+B/5Kpx3af53E412pGAcgnPH/ZQKMa5Zkp73pcFmViLEC7Tn9eNB2iNUfX9p

rV3RNRnrEPZlD1MuYEkmBIWA5czUiDKrpyYA1fmrSsFthFMhD5fTVoDMSTBmNXPz

5B8HYW4+aDbo7N2a+BtFNcbMqYJqYwVL7xE2rL6nUedMyN2uKeZfOnLLQuYoUCg7

iYO5k7D/jQNsviyZg022Nzwy4agdPBKqok8oanQge8/pr3NeMrNDDKVyWy8ZBVBv

KGi3qaX45ejJxP8XaJxxw88+KOc1OvAMhWhAHlHqpw9d7OiAP1oCV+vRuYnD5N9a

YyLspoKy1nk+Htl71QQ4GYCRRGXMl7YsxtRrUSOAZa2+V/5h6ljUsTsib3VhO0eL

/jf+BlBxhpWw1J9L0r6sFMYvVS3AsqfqnBLJUFLxeQxYvVsV0Gpx8BonpZACQC91

DB4oV0l6whqtAQ4dJMJEk9nNnP0NYsVceKybF5NvgL3lzALw/Ezv8K7Y69FJaM35

LrT9JlGSt/BJ0oXp4wxqH4UbHikhGpSCteh7k3ZQkbE4fokVhH9lYkMXqBRXqXlI

nV9b7hR26NeJY0C7a9VyNXtzIVsP+JiBhDzc7GDafIF99fUHPVfqh15CPnTb5liZ

A6QlYw1aVvyhS8ST4I117kALKWUdl9xhe+ui0IFCEQY/mNuQ8O13nlcx+DvGtPxc

WCUG0VpP6AkE9Mkd67CghF6sFh/8FqdE1jU2Asj+iCZVU/s0ngH3hAXwMVUwOW9S

voxYParz1b0sF7vgrhLteHOZ03TEra7rh7OiOVUCOE6CACG1qV8QXDvpkZp2mGTx

5T7ob8nNF8XQWhIHjULVdKdOBuMh/4dOrHTuU5cFosR29mbzAZDDi0myuzTv37GJ

OgyiX0XXvwn5jCmAoaE0ji1fgxrWUs8yVYYHOj3IyQwzU+FydfKtlnhh8ZxHKDBo

8wPqrEAzTXT49bsxvy3cYxUp4Dd1G2ymkoTZonEi7Vir0kN7qjCCBVYGCSqGSIb3

DQEHAaCCBUcEggVDMIIFPzCCBTsGCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZI

hvcNAQwBAzAOBAh2oqSgVyE4cwICA/EEggTInCkEbWknH/Vojqzmn1jIPRGb7dG+

egxS5YDtk14LxnQuwACTQef2wQnKlosYbfH8dJVIvXRYB19MXroGpd5KJA8Dftqa

dWFVAcDIrzV/ZS252aita0fKOVeqjKWo7TkA9jnwDeekAcK+1R5ioIcfXPLJDSUX

gdEaza88oQ+g+34+B2o+mnTPT/PM/o1n6cifVRURn2jMASwiB/cwLn58UZibCSgL

h3CrcKamWi8AF3eJ2rkpPuK41s8SfqZ1ByNEFSgnsX5UQzJpn8FoBPBOmFnR8FTr

XNwtT7GcJJuWDSnf+On2PI2LYT6XAhNeCkfMwdnUa6N1YV2Okelmae4J21sldQlw

ATZFiuigyPMFF1X3wUfdvZTwQGC17YFTN+OIYF9/62XTiZUEJ6y0I3nRvAxpaRHS

VVyh2KA89e5Llxv+bArgA6brykRHFk5I7e7krrflPoQJ0o1oKhb8DshnxAk65v/H

xTPLq9gac81AY8rWnrTCZcO+inCan/IlOKDXnVCUfZATtAOOIQ6Mf9KwuAeyE9xu

4dUO0vF5juFU6hK8SR//apf0JF+zejq5wnEhc1o/sWVpKQkakYayJ+4Hnlx+G6Ra

bJ3ZYQv4U/kUx0Q43qvvwhx0qdZ79BUpqPTxLeBzwVG6q5ys8eZY988YcIg11NY9

+qC4cFGBsbMuWSispichDN5wEJ9C9UrdKRGsAztz0j1GTiJcXPnBH+vTeULh7Spx

GmLbJWyj3tg+QaefDPo4aaIpZCZV0BFSy41fgoBB+rZ45wNgRiDuDuHue2WY28PC

dGrAuXzQTUeEUYqN2zL2DhiYD/6/Y+/BCUS/kO0w3x0J7ityoSlyVJ+cf84FYmtB

zmPIqgjDZS/NGC0OWgUBWxzspADETmwpZDCz8MJHK99nbAcYz3AybW6307NCJTKp

gPfH6RyTrDzoijIweHUeU2pANpDjbp53UKV5/WyEvbjvy9maf1Jze60zS7EFgZ/n

ZEe+eQbSY5SGtTWCB3mMbOTFvDH0QKGbfj6EX2Z+P+RZEeU/xzMOejcBbOO7XpgV

+Uryt+NgcocTtg/5YjVkAdMeVz9A/XdGydAy7hE2FwFI1hJTl/aI4ZaAKV34xH2r

J4/VstlG8ongv9zMNaS4Xl1n3wk6W3oAUmqWdoYYyDsocIBl1he1oP588Capa7OL

NLYDl3llQXbyah1A//xJsH5M8KiB0MlJ0qSSp0U7LXmxDP3dw3kcR9XgOX835Bpi

NlOPQDfzYZyKN6sIGDcuxwQPdOg2EQZxI3W5xp+oHTM/yTuqo/5vpOIlMdwqfQ/R

HGLVyyQ0yO3oIMxiE56jSnrhjj/H/bJJAMMUBXI6pi18JCv24cTjVsXGjsf4jH7g

9uGmoecX/Sx77Sx+814aO0Qkm0WzadLagKoz1nOV1hmeSan1nFnXkE94VqIJ9YTV

qnLrY0JYjpI2ywkW4wCscjVMIxkAfhifc31v4LWUnTMO0Y+xqO89v1hKbSYkZYYs

psrxnomXJq/RqjfZBhF3f+0aTNxpvlJnGOjnlT0qX1yHBOr+bmkcTIhL7pKA+qK1

fZD8834wTLrRcFiPD7pX6/zglMEG4PUf1RoDC0+3Ud8qa2SqfyYZeFm8+9yFsFnZ

RYFkMTowIwYJKoZIhvcNAQkUMRYeFABDAEEAQwBUAEUAUwBUACAAQwBBMBMGCSqG

SIb3DQEJFTEGBAQAAAABMDswHzAHBgUrDgMCGgQUoiKIky5oqgCxt5DnJxWNQvZ1

WecEFDabnXfA8sLdfwIXx9AexvOOS0gpAgID+w==

-----END CERTIFICATE-----


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cannot read exported PKCS12 cert and private key

Michael Wojcik

I'll assume you mean you exported it "from a mainframe system" using RACF. RACF has half a dozen export formats for certificates and keys; they're not all supported by OpenSSL.

 

In particular (and despite the PEM delimiters), I suspect what you have here is a PKCS#12 file in PEM format. The openssl pkcs12 utility doesn't support PEM encoding, because that's not normally done. RACF will do it, though, just to be difficult.

 

openssl asn1parse -in file -inform pem shows you have valid ASN.1 data, with a big ol' blob at offset 26; adding -strparse 26 shows encrypted data. So yes, looks like PKCS#12.

 

So, try this:

1. Edit the file and remove the PEM delimiters ("---- BEGIN CERTIFICATE ----" and "----- END CERTIFICATE ----").

2. Convert the data from Base64 to binary:
                openssl base64 -d -in file -out file.der

3. Unpack it:

                openssl pkcs12 -in file.der -nokeys -out file-cert.pem

                openssl pkcs12 -in file.der -nocerts -out file-key.pem

 

Note the final openssl command will prompt you for the password to encrypt the key file with; if you don't want your private key encrypted, you can also specify -nodes.

 

You can use openssl pkcs12 just once, without the -nokeys / -nocerts options, but that will put your certificate and key in the same file, which is generally not what you want with OpenSSL.

 

Of course, you haven't told us what you're trying to do, so I'm just guessing.

 

Also, I can't verify this, because I don't have the import password for your PKCS#12 file.

 

 

Michael Wojcik
Distinguished Engineer, Micro Focus

 

 

 

From: openssl-users [mailto:[hidden email]] On Behalf Of Gary L Peskin
Sent: Monday, March 13, 2017 08:39
To: [hidden email]
Subject: Re: [openssl-users] Cannot read exported PKCS12 cert and private key

 

My original message accidently included an attachment.  Please ignore the attachment.  That was not related to this issue.

 

Thanks,

Gary

 

From: Gary L Peskin [[hidden email]]
Sent: Monday, March 13, 2017 2:28 AM
To: '[hidden email]' <[hidden email]>
Subject: Cannot read exported PKCS12 cert and private key

 

Hello all

 

I exported a certificate and corresponding private key in base 64 encoded DER format from a mainframe system and FTP’d it to my Windows desktop.

 

I tried to read it using OpenSSL 1.0.2.k and 1.1.0d 32-bit and 64-bit on Windows with

 

openssl pkcs12  -in mycert.p12  -noout

 

But I get the following messages:

 

15956:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1199:

15956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:374:Type=PKCS12

 

I’m able to import this with the private key into the Windows certificate store with no issues.

 

Can someone please advise as to what I’m doing wrong?

 

Thanks,

Gary

 

PS Here is the file:

 

-----BEGIN CERTIFICATE-----

MIIKCAIBAzCCCcQGCSqGSIb3DQEHAaCCCbUEggmxMIIJrTCCBE8GCSqGSIb3DQEH

BqCCBEAwggQ8AgEAMIIENQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIjdBS

+TZF+xQCAgP5gIIECNtJIUg23ab7AXi33MKueO03S1pUkHCQk+kByNK/6f1FgEvu

XRqhniR3mdyzeMVBCrCBSx3GhZlpLcW/d6OAd3z8hbXjvw5OC5OLavemfRNtsi+R

q9LggkcWT2oCszc2nglKzHYaFnkG80vwxLwUXmROL+UK4ZlYmqp46EjuNAEo/yqQ

yEwgia3iP84wiZRfY9kBJMq9yUm+LvowO/1E9v/ycgE6IWe1CrThQzrD6Vm9LaTy

0oZqAbTbzbedZwGsuWZoedw2FtmRijkH5EbRNRpTrUUO/qQMO19v5IKtd4kUAWea

dpYrwn1kkD2aInKKsjycCFtGopXPbmrqj2cm335cESN4XePBHQuzaywHgd0WjU5O

++UM+B/5Kpx3af53E412pGAcgnPH/ZQKMa5Zkp73pcFmViLEC7Tn9eNB2iNUfX9p

rV3RNRnrEPZlD1MuYEkmBIWA5czUiDKrpyYA1fmrSsFthFMhD5fTVoDMSTBmNXPz

5B8HYW4+aDbo7N2a+BtFNcbMqYJqYwVL7xE2rL6nUedMyN2uKeZfOnLLQuYoUCg7

iYO5k7D/jQNsviyZg022Nzwy4agdPBKqok8oanQge8/pr3NeMrNDDKVyWy8ZBVBv

KGi3qaX45ejJxP8XaJxxw88+KOc1OvAMhWhAHlHqpw9d7OiAP1oCV+vRuYnD5N9a

YyLspoKy1nk+Htl71QQ4GYCRRGXMl7YsxtRrUSOAZa2+V/5h6ljUsTsib3VhO0eL

/jf+BlBxhpWw1J9L0r6sFMYvVS3AsqfqnBLJUFLxeQxYvVsV0Gpx8BonpZACQC91

DB4oV0l6whqtAQ4dJMJEk9nNnP0NYsVceKybF5NvgL3lzALw/Ezv8K7Y69FJaM35

LrT9JlGSt/BJ0oXp4wxqH4UbHikhGpSCteh7k3ZQkbE4fokVhH9lYkMXqBRXqXlI

nV9b7hR26NeJY0C7a9VyNXtzIVsP+JiBhDzc7GDafIF99fUHPVfqh15CPnTb5liZ

A6QlYw1aVvyhS8ST4I117kALKWUdl9xhe+ui0IFCEQY/mNuQ8O13nlcx+DvGtPxc

WCUG0VpP6AkE9Mkd67CghF6sFh/8FqdE1jU2Asj+iCZVU/s0ngH3hAXwMVUwOW9S

voxYParz1b0sF7vgrhLteHOZ03TEra7rh7OiOVUCOE6CACG1qV8QXDvpkZp2mGTx

5T7ob8nNF8XQWhIHjULVdKdOBuMh/4dOrHTuU5cFosR29mbzAZDDi0myuzTv37GJ

OgyiX0XXvwn5jCmAoaE0ji1fgxrWUs8yVYYHOj3IyQwzU+FydfKtlnhh8ZxHKDBo

8wPqrEAzTXT49bsxvy3cYxUp4Dd1G2ymkoTZonEi7Vir0kN7qjCCBVYGCSqGSIb3

DQEHAaCCBUcEggVDMIIFPzCCBTsGCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZI

hvcNAQwBAzAOBAh2oqSgVyE4cwICA/EEggTInCkEbWknH/Vojqzmn1jIPRGb7dG+

egxS5YDtk14LxnQuwACTQef2wQnKlosYbfH8dJVIvXRYB19MXroGpd5KJA8Dftqa

dWFVAcDIrzV/ZS252aita0fKOVeqjKWo7TkA9jnwDeekAcK+1R5ioIcfXPLJDSUX

gdEaza88oQ+g+34+B2o+mnTPT/PM/o1n6cifVRURn2jMASwiB/cwLn58UZibCSgL

h3CrcKamWi8AF3eJ2rkpPuK41s8SfqZ1ByNEFSgnsX5UQzJpn8FoBPBOmFnR8FTr

XNwtT7GcJJuWDSnf+On2PI2LYT6XAhNeCkfMwdnUa6N1YV2Okelmae4J21sldQlw

ATZFiuigyPMFF1X3wUfdvZTwQGC17YFTN+OIYF9/62XTiZUEJ6y0I3nRvAxpaRHS

VVyh2KA89e5Llxv+bArgA6brykRHFk5I7e7krrflPoQJ0o1oKhb8DshnxAk65v/H

xTPLq9gac81AY8rWnrTCZcO+inCan/IlOKDXnVCUfZATtAOOIQ6Mf9KwuAeyE9xu

4dUO0vF5juFU6hK8SR//apf0JF+zejq5wnEhc1o/sWVpKQkakYayJ+4Hnlx+G6Ra

bJ3ZYQv4U/kUx0Q43qvvwhx0qdZ79BUpqPTxLeBzwVG6q5ys8eZY988YcIg11NY9

+qC4cFGBsbMuWSispichDN5wEJ9C9UrdKRGsAztz0j1GTiJcXPnBH+vTeULh7Spx

GmLbJWyj3tg+QaefDPo4aaIpZCZV0BFSy41fgoBB+rZ45wNgRiDuDuHue2WY28PC

dGrAuXzQTUeEUYqN2zL2DhiYD/6/Y+/BCUS/kO0w3x0J7ityoSlyVJ+cf84FYmtB

zmPIqgjDZS/NGC0OWgUBWxzspADETmwpZDCz8MJHK99nbAcYz3AybW6307NCJTKp

gPfH6RyTrDzoijIweHUeU2pANpDjbp53UKV5/WyEvbjvy9maf1Jze60zS7EFgZ/n

ZEe+eQbSY5SGtTWCB3mMbOTFvDH0QKGbfj6EX2Z+P+RZEeU/xzMOejcBbOO7XpgV

+Uryt+NgcocTtg/5YjVkAdMeVz9A/XdGydAy7hE2FwFI1hJTl/aI4ZaAKV34xH2r

J4/VstlG8ongv9zMNaS4Xl1n3wk6W3oAUmqWdoYYyDsocIBl1he1oP588Capa7OL

NLYDl3llQXbyah1A//xJsH5M8KiB0MlJ0qSSp0U7LXmxDP3dw3kcR9XgOX835Bpi

NlOPQDfzYZyKN6sIGDcuxwQPdOg2EQZxI3W5xp+oHTM/yTuqo/5vpOIlMdwqfQ/R

HGLVyyQ0yO3oIMxiE56jSnrhjj/H/bJJAMMUBXI6pi18JCv24cTjVsXGjsf4jH7g

9uGmoecX/Sx77Sx+814aO0Qkm0WzadLagKoz1nOV1hmeSan1nFnXkE94VqIJ9YTV

qnLrY0JYjpI2ywkW4wCscjVMIxkAfhifc31v4LWUnTMO0Y+xqO89v1hKbSYkZYYs

psrxnomXJq/RqjfZBhF3f+0aTNxpvlJnGOjnlT0qX1yHBOr+bmkcTIhL7pKA+qK1

fZD8834wTLrRcFiPD7pX6/zglMEG4PUf1RoDC0+3Ud8qa2SqfyYZeFm8+9yFsFnZ

RYFkMTowIwYJKoZIhvcNAQkUMRYeFABDAEEAQwBUAEUAUwBUACAAQwBBMBMGCSqG

SIb3DQEJFTEGBAQAAAABMDswHzAHBgUrDgMCGgQUoiKIky5oqgCxt5DnJxWNQvZ1

WecEFDabnXfA8sLdfwIXx9AexvOOS0gpAgID+w==

-----END CERTIFICATE-----


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cannot read exported PKCS12 cert and private key

Gary L Peskin

Thanks VERY much Michael.  That did the trick.  This was a homegrown CA cert and I needed it to sign a certificate request for testing purposes.

 

I didn’t realize that the openssl pkcs12 utility didn’t support PEM encoding for input.  I was a little confused I guess by the documentation which shows PEM encoding for “-in filename” but I see now that that’s for when exporting a PKCS#12 file, not for parsing one.

 

Thanks again for clearing this up.  It’s weird that MS supports this input format but openssl does not. I thought openssl could do EVERYTHING.  😊

 

Thanks,

Gary

 

From: openssl-users [mailto:[hidden email]] On Behalf Of Michael Wojcik
Sent: Monday, March 13, 2017 8:58 AM
To: [hidden email]
Subject: Re: [openssl-users] Cannot read exported PKCS12 cert and private key

 

I'll assume you mean you exported it "from a mainframe system" using RACF. RACF has half a dozen export formats for certificates and keys; they're not all supported by OpenSSL.

 

In particular (and despite the PEM delimiters), I suspect what you have here is a PKCS#12 file in PEM format. The openssl pkcs12 utility doesn't support PEM encoding, because that's not normally done. RACF will do it, though, just to be difficult.

 

openssl asn1parse -in file -inform pem shows you have valid ASN.1 data, with a big ol' blob at offset 26; adding -strparse 26 shows encrypted data. So yes, looks like PKCS#12.

 

So, try this:

1. Edit the file and remove the PEM delimiters ("---- BEGIN CERTIFICATE ----" and "----- END CERTIFICATE ----").

2. Convert the data from Base64 to binary:
                openssl base64 -d -in file -out file.der

3. Unpack it:

                openssl pkcs12 -in file.der -nokeys -out file-cert.pem

                openssl pkcs12 -in file.der -nocerts -out file-key.pem

 

Note the final openssl command will prompt you for the password to encrypt the key file with; if you don't want your private key encrypted, you can also specify -nodes.

 

You can use openssl pkcs12 just once, without the -nokeys / -nocerts options, but that will put your certificate and key in the same file, which is generally not what you want with OpenSSL.

 

Of course, you haven't told us what you're trying to do, so I'm just guessing.

 

Also, I can't verify this, because I don't have the import password for your PKCS#12 file.

 

 

Michael Wojcik
Distinguished Engineer, Micro Focus

 

 

 

From: openssl-users [[hidden email]] On Behalf Of Gary L Peskin
Sent: Monday, March 13, 2017 08:39
To: [hidden email]
Subject: Re: [openssl-users] Cannot read exported PKCS12 cert and private key

 

My original message accidently included an attachment.  Please ignore the attachment.  That was not related to this issue.

 

Thanks,

Gary

 

From: Gary L Peskin [[hidden email]]
Sent: Monday, March 13, 2017 2:28 AM
To: '[hidden email]' <[hidden email]>
Subject: Cannot read exported PKCS12 cert and private key

 

Hello all

 

I exported a certificate and corresponding private key in base 64 encoded DER format from a mainframe system and FTP’d it to my Windows desktop.

 

I tried to read it using OpenSSL 1.0.2.k and 1.1.0d 32-bit and 64-bit on Windows with

 

openssl pkcs12  -in mycert.p12  -noout

 

But I get the following messages:

 

15956:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1199:

15956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:374:Type=PKCS12

 

I’m able to import this with the private key into the Windows certificate store with no issues.

 

Can someone please advise as to what I’m doing wrong?

 

Thanks,

Gary

 

PS Here is the file:

 

-----BEGIN CERTIFICATE-----

MIIKCAIBAzCCCcQGCSqGSIb3DQEHAaCCCbUEggmxMIIJrTCCBE8GCSqGSIb3DQEH

BqCCBEAwggQ8AgEAMIIENQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIjdBS

+TZF+xQCAgP5gIIECNtJIUg23ab7AXi33MKueO03S1pUkHCQk+kByNK/6f1FgEvu

XRqhniR3mdyzeMVBCrCBSx3GhZlpLcW/d6OAd3z8hbXjvw5OC5OLavemfRNtsi+R

q9LggkcWT2oCszc2nglKzHYaFnkG80vwxLwUXmROL+UK4ZlYmqp46EjuNAEo/yqQ

yEwgia3iP84wiZRfY9kBJMq9yUm+LvowO/1E9v/ycgE6IWe1CrThQzrD6Vm9LaTy

0oZqAbTbzbedZwGsuWZoedw2FtmRijkH5EbRNRpTrUUO/qQMO19v5IKtd4kUAWea

dpYrwn1kkD2aInKKsjycCFtGopXPbmrqj2cm335cESN4XePBHQuzaywHgd0WjU5O

++UM+B/5Kpx3af53E412pGAcgnPH/ZQKMa5Zkp73pcFmViLEC7Tn9eNB2iNUfX9p

rV3RNRnrEPZlD1MuYEkmBIWA5czUiDKrpyYA1fmrSsFthFMhD5fTVoDMSTBmNXPz

5B8HYW4+aDbo7N2a+BtFNcbMqYJqYwVL7xE2rL6nUedMyN2uKeZfOnLLQuYoUCg7

iYO5k7D/jQNsviyZg022Nzwy4agdPBKqok8oanQge8/pr3NeMrNDDKVyWy8ZBVBv

KGi3qaX45ejJxP8XaJxxw88+KOc1OvAMhWhAHlHqpw9d7OiAP1oCV+vRuYnD5N9a

YyLspoKy1nk+Htl71QQ4GYCRRGXMl7YsxtRrUSOAZa2+V/5h6ljUsTsib3VhO0eL

/jf+BlBxhpWw1J9L0r6sFMYvVS3AsqfqnBLJUFLxeQxYvVsV0Gpx8BonpZACQC91

DB4oV0l6whqtAQ4dJMJEk9nNnP0NYsVceKybF5NvgL3lzALw/Ezv8K7Y69FJaM35

LrT9JlGSt/BJ0oXp4wxqH4UbHikhGpSCteh7k3ZQkbE4fokVhH9lYkMXqBRXqXlI

nV9b7hR26NeJY0C7a9VyNXtzIVsP+JiBhDzc7GDafIF99fUHPVfqh15CPnTb5liZ

A6QlYw1aVvyhS8ST4I117kALKWUdl9xhe+ui0IFCEQY/mNuQ8O13nlcx+DvGtPxc

WCUG0VpP6AkE9Mkd67CghF6sFh/8FqdE1jU2Asj+iCZVU/s0ngH3hAXwMVUwOW9S

voxYParz1b0sF7vgrhLteHOZ03TEra7rh7OiOVUCOE6CACG1qV8QXDvpkZp2mGTx

5T7ob8nNF8XQWhIHjULVdKdOBuMh/4dOrHTuU5cFosR29mbzAZDDi0myuzTv37GJ

OgyiX0XXvwn5jCmAoaE0ji1fgxrWUs8yVYYHOj3IyQwzU+FydfKtlnhh8ZxHKDBo

8wPqrEAzTXT49bsxvy3cYxUp4Dd1G2ymkoTZonEi7Vir0kN7qjCCBVYGCSqGSIb3

DQEHAaCCBUcEggVDMIIFPzCCBTsGCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZI

hvcNAQwBAzAOBAh2oqSgVyE4cwICA/EEggTInCkEbWknH/Vojqzmn1jIPRGb7dG+

egxS5YDtk14LxnQuwACTQef2wQnKlosYbfH8dJVIvXRYB19MXroGpd5KJA8Dftqa

dWFVAcDIrzV/ZS252aita0fKOVeqjKWo7TkA9jnwDeekAcK+1R5ioIcfXPLJDSUX

gdEaza88oQ+g+34+B2o+mnTPT/PM/o1n6cifVRURn2jMASwiB/cwLn58UZibCSgL

h3CrcKamWi8AF3eJ2rkpPuK41s8SfqZ1ByNEFSgnsX5UQzJpn8FoBPBOmFnR8FTr

XNwtT7GcJJuWDSnf+On2PI2LYT6XAhNeCkfMwdnUa6N1YV2Okelmae4J21sldQlw

ATZFiuigyPMFF1X3wUfdvZTwQGC17YFTN+OIYF9/62XTiZUEJ6y0I3nRvAxpaRHS

VVyh2KA89e5Llxv+bArgA6brykRHFk5I7e7krrflPoQJ0o1oKhb8DshnxAk65v/H

xTPLq9gac81AY8rWnrTCZcO+inCan/IlOKDXnVCUfZATtAOOIQ6Mf9KwuAeyE9xu

4dUO0vF5juFU6hK8SR//apf0JF+zejq5wnEhc1o/sWVpKQkakYayJ+4Hnlx+G6Ra

bJ3ZYQv4U/kUx0Q43qvvwhx0qdZ79BUpqPTxLeBzwVG6q5ys8eZY988YcIg11NY9

+qC4cFGBsbMuWSispichDN5wEJ9C9UrdKRGsAztz0j1GTiJcXPnBH+vTeULh7Spx

GmLbJWyj3tg+QaefDPo4aaIpZCZV0BFSy41fgoBB+rZ45wNgRiDuDuHue2WY28PC

dGrAuXzQTUeEUYqN2zL2DhiYD/6/Y+/BCUS/kO0w3x0J7ityoSlyVJ+cf84FYmtB

zmPIqgjDZS/NGC0OWgUBWxzspADETmwpZDCz8MJHK99nbAcYz3AybW6307NCJTKp

gPfH6RyTrDzoijIweHUeU2pANpDjbp53UKV5/WyEvbjvy9maf1Jze60zS7EFgZ/n

ZEe+eQbSY5SGtTWCB3mMbOTFvDH0QKGbfj6EX2Z+P+RZEeU/xzMOejcBbOO7XpgV

+Uryt+NgcocTtg/5YjVkAdMeVz9A/XdGydAy7hE2FwFI1hJTl/aI4ZaAKV34xH2r

J4/VstlG8ongv9zMNaS4Xl1n3wk6W3oAUmqWdoYYyDsocIBl1he1oP588Capa7OL

NLYDl3llQXbyah1A//xJsH5M8KiB0MlJ0qSSp0U7LXmxDP3dw3kcR9XgOX835Bpi

NlOPQDfzYZyKN6sIGDcuxwQPdOg2EQZxI3W5xp+oHTM/yTuqo/5vpOIlMdwqfQ/R

HGLVyyQ0yO3oIMxiE56jSnrhjj/H/bJJAMMUBXI6pi18JCv24cTjVsXGjsf4jH7g

9uGmoecX/Sx77Sx+814aO0Qkm0WzadLagKoz1nOV1hmeSan1nFnXkE94VqIJ9YTV

qnLrY0JYjpI2ywkW4wCscjVMIxkAfhifc31v4LWUnTMO0Y+xqO89v1hKbSYkZYYs

psrxnomXJq/RqjfZBhF3f+0aTNxpvlJnGOjnlT0qX1yHBOr+bmkcTIhL7pKA+qK1

fZD8834wTLrRcFiPD7pX6/zglMEG4PUf1RoDC0+3Ud8qa2SqfyYZeFm8+9yFsFnZ

RYFkMTowIwYJKoZIhvcNAQkUMRYeFABDAEEAQwBUAEUAUwBUACAAQwBBMBMGCSqG

SIb3DQEJFTEGBAQAAAABMDswHzAHBgUrDgMCGgQUoiKIky5oqgCxt5DnJxWNQvZ1

WecEFDabnXfA8sLdfwIXx9AexvOOS0gpAgID+w==

-----END CERTIFICATE-----


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cannot read exported PKCS12 cert and private key

Kyle Hamilton
Enhancement request:

make 'pkcs12' support -inform and -outform.

On Mon, Mar 13, 2017 at 9:26 AM, Gary L Peskin <[hidden email]> wrote:

Thanks VERY much Michael.  That did the trick.  This was a homegrown CA cert and I needed it to sign a certificate request for testing purposes.

 

I didn’t realize that the openssl pkcs12 utility didn’t support PEM encoding for input.  I was a little confused I guess by the documentation which shows PEM encoding for “-in filename” but I see now that that’s for when exporting a PKCS#12 file, not for parsing one.

 

Thanks again for clearing this up.  It’s weird that MS supports this input format but openssl does not. I thought openssl could do EVERYTHING.  😊

 

Thanks,

Gary

 

From: openssl-users [mailto:[hidden email]] On Behalf Of Michael Wojcik
Sent: Monday, March 13, 2017 8:58 AM


To: [hidden email]
Subject: Re: [openssl-users] Cannot read exported PKCS12 cert and private key

 

I'll assume you mean you exported it "from a mainframe system" using RACF. RACF has half a dozen export formats for certificates and keys; they're not all supported by OpenSSL.

 

In particular (and despite the PEM delimiters), I suspect what you have here is a PKCS#12 file in PEM format. The openssl pkcs12 utility doesn't support PEM encoding, because that's not normally done. RACF will do it, though, just to be difficult.

 

openssl asn1parse -in file -inform pem shows you have valid ASN.1 data, with a big ol' blob at offset 26; adding -strparse 26 shows encrypted data. So yes, looks like PKCS#12.

 

So, try this:

1. Edit the file and remove the PEM delimiters ("---- BEGIN CERTIFICATE ----" and "----- END CERTIFICATE ----").

2. Convert the data from Base64 to binary:
                openssl base64 -d -in file -out file.der

3. Unpack it:

                openssl pkcs12 -in file.der -nokeys -out file-cert.pem

                openssl pkcs12 -in file.der -nocerts -out file-key.pem

 

Note the final openssl command will prompt you for the password to encrypt the key file with; if you don't want your private key encrypted, you can also specify -nodes.

 

You can use openssl pkcs12 just once, without the -nokeys / -nocerts options, but that will put your certificate and key in the same file, which is generally not what you want with OpenSSL.

 

Of course, you haven't told us what you're trying to do, so I'm just guessing.

 

Also, I can't verify this, because I don't have the import password for your PKCS#12 file.

 

 

Michael Wojcik
Distinguished Engineer, Micro Focus

 

 

 

From: openssl-users [[hidden email]] On Behalf Of Gary L Peskin
Sent: Monday, March 13, 2017 08:39
To: [hidden email]
Subject: Re: [openssl-users] Cannot read exported PKCS12 cert and private key

 

My original message accidently included an attachment.  Please ignore the attachment.  That was not related to this issue.

 

Thanks,

Gary

 

From: Gary L Peskin [[hidden email]]
Sent: Monday, March 13, 2017 2:28 AM
To: '[hidden email]' <[hidden email]>
Subject: Cannot read exported PKCS12 cert and private key

 

Hello all

 

I exported a certificate and corresponding private key in base 64 encoded DER format from a mainframe system and FTP’d it to my Windows desktop.

 

I tried to read it using OpenSSL 1.0.2.k and 1.1.0d 32-bit and 64-bit on Windows with

 

openssl pkcs12  -in mycert.p12  -noout

 

But I get the following messages:

 

15956:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1199:

15956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:374:Type=PKCS12

 

I’m able to import this with the private key into the Windows certificate store with no issues.

 

Can someone please advise as to what I’m doing wrong?

 

Thanks,

Gary

 

PS Here is the file:

 

-----BEGIN CERTIFICATE-----

MIIKCAIBAzCCCcQGCSqGSIb3DQEHAaCCCbUEggmxMIIJrTCCBE8GCSqGSIb3DQEH

BqCCBEAwggQ8AgEAMIIENQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIjdBS

+TZF+xQCAgP5gIIECNtJIUg23ab7AXi33MKueO03S1pUkHCQk+kByNK/6f1FgEvu

XRqhniR3mdyzeMVBCrCBSx3GhZlpLcW/d6OAd3z8hbXjvw5OC5OLavemfRNtsi+R

q9LggkcWT2oCszc2nglKzHYaFnkG80vwxLwUXmROL+UK4ZlYmqp46EjuNAEo/yqQ

yEwgia3iP84wiZRfY9kBJMq9yUm+LvowO/1E9v/ycgE6IWe1CrThQzrD6Vm9LaTy

0oZqAbTbzbedZwGsuWZoedw2FtmRijkH5EbRNRpTrUUO/qQMO19v5IKtd4kUAWea

dpYrwn1kkD2aInKKsjycCFtGopXPbmrqj2cm335cESN4XePBHQuzaywHgd0WjU5O

++UM+B/5Kpx3af53E412pGAcgnPH/ZQKMa5Zkp73pcFmViLEC7Tn9eNB2iNUfX9p

rV3RNRnrEPZlD1MuYEkmBIWA5czUiDKrpyYA1fmrSsFthFMhD5fTVoDMSTBmNXPz

5B8HYW4+aDbo7N2a+BtFNcbMqYJqYwVL7xE2rL6nUedMyN2uKeZfOnLLQuYoUCg7

iYO5k7D/jQNsviyZg022Nzwy4agdPBKqok8oanQge8/pr3NeMrNDDKVyWy8ZBVBv

KGi3qaX45ejJxP8XaJxxw88+KOc1OvAMhWhAHlHqpw9d7OiAP1oCV+vRuYnD5N9a

YyLspoKy1nk+Htl71QQ4GYCRRGXMl7YsxtRrUSOAZa2+V/5h6ljUsTsib3VhO0eL

/jf+BlBxhpWw1J9L0r6sFMYvVS3AsqfqnBLJUFLxeQxYvVsV0Gpx8BonpZACQC91

DB4oV0l6whqtAQ4dJMJEk9nNnP0NYsVceKybF5NvgL3lzALw/Ezv8K7Y69FJaM35

LrT9JlGSt/BJ0oXp4wxqH4UbHikhGpSCteh7k3ZQkbE4fokVhH9lYkMXqBRXqXlI

nV9b7hR26NeJY0C7a9VyNXtzIVsP+JiBhDzc7GDafIF99fUHPVfqh15CPnTb5liZ

A6QlYw1aVvyhS8ST4I117kALKWUdl9xhe+ui0IFCEQY/mNuQ8O13nlcx+DvGtPxc

WCUG0VpP6AkE9Mkd67CghF6sFh/8FqdE1jU2Asj+iCZVU/s0ngH3hAXwMVUwOW9S

voxYParz1b0sF7vgrhLteHOZ03TEra7rh7OiOVUCOE6CACG1qV8QXDvpkZp2mGTx

5T7ob8nNF8XQWhIHjULVdKdOBuMh/4dOrHTuU5cFosR29mbzAZDDi0myuzTv37GJ

OgyiX0XXvwn5jCmAoaE0ji1fgxrWUs8yVYYHOj3IyQwzU+FydfKtlnhh8ZxHKDBo

8wPqrEAzTXT49bsxvy3cYxUp4Dd1G2ymkoTZonEi7Vir0kN7qjCCBVYGCSqGSIb3

DQEHAaCCBUcEggVDMIIFPzCCBTsGCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZI

hvcNAQwBAzAOBAh2oqSgVyE4cwICA/EEggTInCkEbWknH/Vojqzmn1jIPRGb7dG+

egxS5YDtk14LxnQuwACTQef2wQnKlosYbfH8dJVIvXRYB19MXroGpd5KJA8Dftqa

dWFVAcDIrzV/ZS252aita0fKOVeqjKWo7TkA9jnwDeekAcK+1R5ioIcfXPLJDSUX

gdEaza88oQ+g+34+B2o+mnTPT/PM/o1n6cifVRURn2jMASwiB/cwLn58UZibCSgL

h3CrcKamWi8AF3eJ2rkpPuK41s8SfqZ1ByNEFSgnsX5UQzJpn8FoBPBOmFnR8FTr

XNwtT7GcJJuWDSnf+On2PI2LYT6XAhNeCkfMwdnUa6N1YV2Okelmae4J21sldQlw

ATZFiuigyPMFF1X3wUfdvZTwQGC17YFTN+OIYF9/62XTiZUEJ6y0I3nRvAxpaRHS

VVyh2KA89e5Llxv+bArgA6brykRHFk5I7e7krrflPoQJ0o1oKhb8DshnxAk65v/H

xTPLq9gac81AY8rWnrTCZcO+inCan/IlOKDXnVCUfZATtAOOIQ6Mf9KwuAeyE9xu

4dUO0vF5juFU6hK8SR//apf0JF+zejq5wnEhc1o/sWVpKQkakYayJ+4Hnlx+G6Ra

bJ3ZYQv4U/kUx0Q43qvvwhx0qdZ79BUpqPTxLeBzwVG6q5ys8eZY988YcIg11NY9

+qC4cFGBsbMuWSispichDN5wEJ9C9UrdKRGsAztz0j1GTiJcXPnBH+vTeULh7Spx

GmLbJWyj3tg+QaefDPo4aaIpZCZV0BFSy41fgoBB+rZ45wNgRiDuDuHue2WY28PC

dGrAuXzQTUeEUYqN2zL2DhiYD/6/Y+/BCUS/kO0w3x0J7ityoSlyVJ+cf84FYmtB

zmPIqgjDZS/NGC0OWgUBWxzspADETmwpZDCz8MJHK99nbAcYz3AybW6307NCJTKp

gPfH6RyTrDzoijIweHUeU2pANpDjbp53UKV5/WyEvbjvy9maf1Jze60zS7EFgZ/n

ZEe+eQbSY5SGtTWCB3mMbOTFvDH0QKGbfj6EX2Z+P+RZEeU/xzMOejcBbOO7XpgV

+Uryt+NgcocTtg/5YjVkAdMeVz9A/XdGydAy7hE2FwFI1hJTl/aI4ZaAKV34xH2r

J4/VstlG8ongv9zMNaS4Xl1n3wk6W3oAUmqWdoYYyDsocIBl1he1oP588Capa7OL

NLYDl3llQXbyah1A//xJsH5M8KiB0MlJ0qSSp0U7LXmxDP3dw3kcR9XgOX835Bpi

NlOPQDfzYZyKN6sIGDcuxwQPdOg2EQZxI3W5xp+oHTM/yTuqo/5vpOIlMdwqfQ/R

HGLVyyQ0yO3oIMxiE56jSnrhjj/H/bJJAMMUBXI6pi18JCv24cTjVsXGjsf4jH7g

9uGmoecX/Sx77Sx+814aO0Qkm0WzadLagKoz1nOV1hmeSan1nFnXkE94VqIJ9YTV

qnLrY0JYjpI2ywkW4wCscjVMIxkAfhifc31v4LWUnTMO0Y+xqO89v1hKbSYkZYYs

psrxnomXJq/RqjfZBhF3f+0aTNxpvlJnGOjnlT0qX1yHBOr+bmkcTIhL7pKA+qK1

fZD8834wTLrRcFiPD7pX6/zglMEG4PUf1RoDC0+3Ud8qa2SqfyYZeFm8+9yFsFnZ

RYFkMTowIwYJKoZIhvcNAQkUMRYeFABDAEEAQwBUAEUAUwBUACAAQwBBMBMGCSqG

SIb3DQEJFTEGBAQAAAABMDswHzAHBgUrDgMCGgQUoiKIky5oqgCxt5DnJxWNQvZ1

WecEFDabnXfA8sLdfwIXx9AexvOOS0gpAgID+w==

-----END CERTIFICATE-----


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cannot read exported PKCS12 cert and private key

Michael Wojcik
In reply to this post by Gary L Peskin

Glad I could help. To be honest, I had to play around with it for a bit before I remembered that RACF can export PEM-encoded PKCS#12, and how I had handled that the last time I went through this myself.

 

Also, having experience with figuring out what a file is using openssl asn1parse definitely helps. The last time I taught a class on key and certificate handling, we did an entire exercise on this, because we're always getting this sort of thing from customers. "Here's a zip with our key and certificate files", they say, and then there are files in it with names like "file0" and "key1", and it turns out "key1" is actually a certificate. Learning how to match private keys to certificates is also very useful; I actually ended up giving one customer a script to do that, because they'd been copying things from machine to machine and had really confused the situation.

 

Someone needs to write a book like Surviving Cryptography with OpenSSL that covers these things, along the lines of Ivan Ristić's OpenSSL Cookbook. (I'd volunteer but to be honest it'd never get done.) I guess this sort of thing should go on the wiki; maybe some of it's there already.

Anyway, back on the subject: I suppose technically this is not really PEM encoding, because the PEM delimiters lie. "----- BEGIN CERTIFICATE -----" claims that what follows is a Base64-encoded DER-encoded X.509 certificate, not a Base64-encoded DER-encoded PKCS#12 structure. Those are rather different things. I suspect RACF supports this because 1) it was easy and 2) it's convenient to have a text representation (that converts cleanly between EBCDIC and ASCII). But it's not technically correct.

 

That's probably why OpenSSL doesn't support it; fake-PEM-PKCS#12 is a RACF idiosyncracy, as far as I know. I'm guessing Windows just takes whatever's between the PEM delimiters, decodes the Base64, parses it as ASN.1 DER, and then decides what to do.

 

You could argue, by Postel's Interoperability Principle, that openssl should have a "-figure-out-the-format" option for every command that takes files. On the other hand, the Interoperability Principle is a security risk; many vulnerabilities are eliminated simply by requiring inputs that satisfy the specification.

 

With a decent scripting language it's pretty easy to recognize one of these files and automatically extract it into something sensible.

 

 

Michael Wojcik
Distinguished Engineer, Micro Focus

 

 

 

From: openssl-users [mailto:[hidden email]] On Behalf Of Gary L Peskin
Sent: Monday, March 13, 2017 10:26
To: [hidden email]
Subject: Re: [openssl-users] Cannot read exported PKCS12 cert and private key

 

Thanks VERY much Michael.  That did the trick.  This was a homegrown CA cert and I needed it to sign a certificate request for testing purposes.

 

I didn’t realize that the openssl pkcs12 utility didn’t support PEM encoding for input.  I was a little confused I guess by the documentation which shows PEM encoding for “-in filename” but I see now that that’s for when exporting a PKCS#12 file, not for parsing one.

 

Thanks again for clearing this up.  It’s weird that MS supports this input format but openssl does not. I thought openssl could do EVERYTHING.  😊

 

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cannot read exported PKCS12 cert and private key

Gary L Peskin

Thanks again.  Very clear.  I’m thinking maybe of a small utility or even a web site were you could upload the thing and it would tell you what it was looking it.  I’ll add that to my never-ending to do list on the off chance that I’ll ever have spare time.

 

Gary

 

 

From: openssl-users [mailto:[hidden email]] On Behalf Of Michael Wojcik
Sent: Monday, March 13, 2017 11:05 AM
To: [hidden email]
Subject: Re: [openssl-users] Cannot read exported PKCS12 cert and private key

 

Glad I could help. To be honest, I had to play around with it for a bit before I remembered that RACF can export PEM-encoded PKCS#12, and how I had handled that the last time I went through this myself.

 

Also, having experience with figuring out what a file is using openssl asn1parse definitely helps. The last time I taught a class on key and certificate handling, we did an entire exercise on this, because we're always getting this sort of thing from customers. "Here's a zip with our key and certificate files", they say, and then there are files in it with names like "file0" and "key1", and it turns out "key1" is actually a certificate. Learning how to match private keys to certificates is also very useful; I actually ended up giving one customer a script to do that, because they'd been copying things from machine to machine and had really confused the situation.

 

Someone needs to write a book like Surviving Cryptography with OpenSSL that covers these things, along the lines of Ivan Ristić's OpenSSL Cookbook. (I'd volunteer but to be honest it'd never get done.) I guess this sort of thing should go on the wiki; maybe some of it's there already.

 

Anyway, back on the subject: I suppose technically this is not really PEM encoding, because the PEM delimiters lie. "----- BEGIN CERTIFICATE -----" claims that what follows is a Base64-encoded DER-encoded X.509 certificate, not a Base64-encoded DER-encoded PKCS#12 structure. Those are rather different things. I suspect RACF supports this because 1) it was easy and 2) it's convenient to have a text representation (that converts cleanly between EBCDIC and ASCII). But it's not technically correct.

 

That's probably why OpenSSL doesn't support it; fake-PEM-PKCS#12 is a RACF idiosyncracy, as far as I know. I'm guessing Windows just takes whatever's between the PEM delimiters, decodes the Base64, parses it as ASN.1 DER, and then decides what to do.

 

You could argue, by Postel's Interoperability Principle, that openssl should have a "-figure-out-the-format" option for every command that takes files. On the other hand, the Interoperability Principle is a security risk; many vulnerabilities are eliminated simply by requiring inputs that satisfy the specification.

 

With a decent scripting language it's pretty easy to recognize one of these files and automatically extract it into something sensible.

 

 

Michael Wojcik
Distinguished Engineer, Micro Focus

 

 

 

From: openssl-users [[hidden email]] On Behalf Of Gary L Peskin
Sent: Monday, March 13, 2017 10:26
To: [hidden email]
Subject: Re: [openssl-users] Cannot read exported PKCS12 cert and private key

 

Thanks VERY much Michael.  That did the trick.  This was a homegrown CA cert and I needed it to sign a certificate request for testing purposes.

 

I didn’t realize that the openssl pkcs12 utility didn’t support PEM encoding for input.  I was a little confused I guess by the documentation which shows PEM encoding for “-in filename” but I see now that that’s for when exporting a PKCS#12 file, not for parsing one.

 

Thanks again for clearing this up.  It’s weird that MS supports this input format but openssl does not. I thought openssl could do EVERYTHING.  😊

 

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Cannot read exported PKCS12 cert and private key

Dr. Stephen Henson
In reply to this post by Michael Wojcik
On Mon, Mar 13, 2017, Michael Wojcik wrote:

> I'll assume you mean you exported it "from a mainframe system" using RACF. RACF has half a dozen export formats for certificates and keys; they're not all supported by OpenSSL.
>
> In particular (and despite the PEM delimiters), I suspect what you have here is a PKCS#12 file in PEM format. The openssl pkcs12 utility doesn't support PEM encoding, because that's not normally done. RACF will do it, though, just to be difficult.
>
> openssl asn1parse -in file -inform pem shows you have valid ASN.1 data, with a big ol' blob at offset 26; adding -strparse 26 shows encrypted data. So yes, looks like PKCS#12.
>
> So, try this:
> 1. Edit the file and remove the PEM delimiters ("---- BEGIN CERTIFICATE ----" and "----- END CERTIFICATE ----").
> 2. Convert the data from Base64 to binary:
>                 openssl base64 -d -in file -out file.der

Note this can be simplified a bit with:

openssl asn1parse -in file.pem -out file.der

That should work for any PEM ASN.1 structure.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users