exporting the certificate with the .pfx

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

exporting the certificate with the .pfx

Harold Huggins

Hi, Everyone,

We are having issues exporting the certificate with the .pfx

Error  printout log file as follows:

OpenSSL> pkcs12 -export -out "cfored.pfx" -inkey "cfored_encrypted_private.key"
-in "mergeredcertificate.crt"
Usage: pkcs12 [options]
where options are
-export output PKCS12 file
-chain add certificate chain
-inkey file private key if not infile
-certfile f add all certs in f
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-name "name" use name as friendly name
-caname "nm" use nm as CA friendly name (can be used more than once).
-in infile input filename
-out outfile output filename
-noout don't output anything, just verify.
-nomacver don't verify MAC.
-nocerts don't output certificates.
-clcerts only output client certificates.
-cacerts only output CA certificates.
-nokeys don't output private keys.
-info give info about PKCS#12 structure.
-des encrypt private keys with DES
-des3 encrypt private keys with triple DES (default)
-idea encrypt private keys with idea
-seed encrypt private keys with seed
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
encrypt PEM output with cbc camellia
-nodes don't encrypt private keys
-noiter don't use encryption iteration
-nomaciter don't use MAC iteration
-maciter use MAC iteration
-nomac don't generate MAC
-twopass separate MAC, encryption passwords
-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)
-certpbe alg specify certificate PBE algorithm (default RC2-40)
-keypbe alg specify private key PBE algorithm (default 3DES)
-macalg alg digest algorithm used in MAC (default SHA1)
-keyex set MS key exchange type
-keysig set MS key signature type
-password p set import/export password source
-passin p input file pass phrase source
-passout p output file pass phrase source
-engine e use engine e, possibly a hardware device.
-rand file;file;...
load the file (or the files in the directory) into
the random number generator
-CSP name Microsoft CSP name
-LMK Add local machine keyset attribute to private key
error in pkcs12
OpenSSL>

--

Harold Huggins

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

exporting the certificate with the .pfx

Harold Huggins


Hi, Everyone,

We are having issues exporting the certificate with the .pfx

Error  printout log file as follows:

OpenSSL> pkcs12 -export -out "cfored.pfx" -inkey "cfored_encrypted_private.key"
-in "mergeredcertificate.crt"
Usage: pkcs12 [options]
where options are
-export output PKCS12 file
-chain add certificate chain
-inkey file private key if not infile
-certfile f add all certs in f
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-name "name" use name as friendly name
-caname "nm" use nm as CA friendly name (can be used more than once).
-in infile input filename
-out outfile output filename
-noout don't output anything, just verify.
-nomacver don't verify MAC.
-nocerts don't output certificates.
-clcerts only output client certificates.
-cacerts only output CA certificates.
-nokeys don't output private keys.
-info give info about PKCS#12 structure.
-des encrypt private keys with DES
-des3 encrypt private keys with triple DES (default)
-idea encrypt private keys with idea
-seed encrypt private keys with seed
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
encrypt PEM output with cbc camellia
-nodes don't encrypt private keys
-noiter don't use encryption iteration
-nomaciter don't use MAC iteration
-maciter use MAC iteration
-nomac don't generate MAC
-twopass separate MAC, encryption passwords
-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)
-certpbe alg specify certificate PBE algorithm (default RC2-40)
-keypbe alg specify private key PBE algorithm (default 3DES)
-macalg alg digest algorithm used in MAC (default SHA1)
-keyex set MS key exchange type
-keysig set MS key signature type
-password p set import/export password source
-passin p input file pass phrase source
-passout p output file pass phrase source
-engine e use engine e, possibly a hardware device.
-rand file;file;...
load the file (or the files in the directory) into
the random number generator
-CSP name Microsoft CSP name
-LMK Add local machine keyset attribute to private key
error in pkcs12
OpenSSL>

--

Harold Huggins

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: exporting the certificate with the .pfx

Viktor Dukhovni


> On Jun 15, 2018, at 7:25 PM, Harold Huggins <[hidden email]> wrote:
>
> We are having issues exporting the certificate with the .pfx

Works here.

$ openssl req -new -x509 -newkey rsa:1024 -nodes -keyout key.pem -out cert.pem -days 30 -subj "/CN=$(uname -n)"
Generating a 1024 bit RSA private key
............................++++++
.................................................++++++
writing new private key to 'key.pem'
-----

$ openssl pkcs12 -export -out chain.p12 -inkey key.pem -in cert.pem \
    -passout pass:foobar -certpbe aes-128-cbc -keypbe aes-128-cbc

$ openssl pkcs12 -info -in chain.p12 -passin pass:foobar -passout pass:foobar
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: PBES2, PBKDF2, AES-128-CBC, Iteration 2048, PRF hmacWithSHA1
Certificate bag
Bag Attributes
    localKeyID: F7 AC 6C BE 62 B1 CC 80 C7 AC DC B4 9F 85 C6 19 C6 F7 4B 0F
subject=/CN=amnesiac.example
issuer=/CN=amnesiac.example
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-128-CBC, Iteration 2048, PRF hmacWithSHA1
Bag Attributes  
    localKeyID: F7 AC 6C BE 62 B1 CC 80 C7 AC DC B4 9F 85 C6 19 C6 F7 4B 0F
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users