Re: openssl-users Digest, Vol 37, Issue 1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: openssl-users Digest, Vol 37, Issue 1

Richard Levitte - VMS Whacker-2
In message <[hidden email]> on Fri, 01 Dec 2017 21:34:15 +0000, [hidden email] said:

openssl-users-request> Hi,
openssl-users-request>
openssl-users-request> I have a `Certificates.p12` file that I wish to convert to a
openssl-users-request> `certificates.pem` containing an unencrypted private key in PKCS#1 format.
openssl-users-request> I have previously been able to do this by running:
openssl-users-request>
openssl-users-request>     openssl pkcs12 -in Certificates.p12 -out certificates.pem -nodes
openssl-users-request> -clcerts
openssl-users-request>
openssl-users-request> The resulting `certificates.pem` file has a `PRIVATE KEY` PEM block, as
openssl-users-request> expected. However, the library I'm using
openssl-users-request> <https://github.com/sideshow/apns2/blob/master/certificate/certificate.go#L80>
openssl-users-request> does
openssl-users-request> not understand this PEM block, because it expects it to be a PKCS#1 private
openssl-users-request> key. The ASN.1 structure of a PKCS#1 private key is defined by RFC 3447
openssl-users-request> <https://tools.ietf.org/html/rfc3447#appendix-A.1.2> as:

'openssl pkcs12' outputs a PKCS#8 structure, which is the default for
new private keys in OpenSSL.  You might be interested in this
structure, it's documented in RFC 5208:

    https://tools.ietf.org/html/rfc5208

You might want to tell github:sideshow as well...  it's actually
pretty easy, the package they use has a function to parse PKCS#8
private keys as well:

    https://golang.org/pkg/crypto/x509/#ParsePKCS8PrivateKey

openssl-users-request> How do I make `openssl pkcs12` output a correct
openssl-users-request> PKCS#1 private key?

You don't.  If you want to insist on an older format, then conversion
it is.

Cheers,
Richard

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users