OpenSSL › OpenSSL - User

pkcs12 problem

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

Todd Wease

pkcs12 problem

[wease1@desktop: ~] $ uname -r
2.6.12-1.1398_FC4smp
[wease1@desktop: ~] $ openssl version
OpenSSL 0.9.7f 22 Mar 2005

I just (by trail and error and finally by documentation) created a
pkcs12 certificate for use with SMIME in my email client Evolution. I
now get the following prompt every time I use sudo:

[wease1@desktop: ~] $ sudo mkdir help
Password:
4025:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:642:Expecting: CERTIFICATE
Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
[wease1@desktop: ~] $

The above happens whether or not sudo asks me for a password.

I also cannot retrieve my mail using any of pop3, pops3, imap, imaps
with dovecot now (other users have no problem and I can read my mail
locally with mutt).

Note this is my home desktop (and master server and testing grounds of
everything on my little home network) but I've also tried downloading my
mail from another computer on the same net without luck.

Below is a condensed version of my bash history:

* as user wease1 ***********************************************

- initial attempt ---------------------------------------------
openssl pkcs12 -export -inkey key.pem -certfile cert.pem -out
smime.pkcs12
openssl pkcs12 -export -inkey key.pem -certfile cert.pem
openssl pkcs12 -export -inkey key.pem -certfile cert.pem
cat cert.pem key.pem > temp.pem
openssl pkcs12 -export -in temp.pem -out smime.p12
less smime.p12
rm smime.p12
openssl pkcs12 -export -in temp.pem
---------------------------------------------------------------

- new certificate request and signed cert ---------------------
cd .ssl/
openssl x509 -in cert.pem -text
openssl x509 -in key.pem -text
openssl rsa -in key.pem -text
rm -fr cert.pem key.pem
openssl req -new -keyout key.pem -out certreq.pem
su
rm *
rm -fr *
openssl req -new -keyout key.pem -out certreq.pem
sudo cp certreq.pem /etc/pki/CA/
sudo chown wease1:wease1 cert.pem
su
chmod 600 key.pem
---------------------------------------------------------------

- attempts to get Evolution to recognize certificate ----------
cp cert.pem ..
cat cert.pem key.pem > smime.pem
less smime.pem
rm smime.pem
cat key.pem cert.pem > smime.crt
rm cert.pem
cd .ssl
rm smime.crt
---------------------------------------------------------------

- finally taking a good look at the documentation -------------
man pkcs12
---------------------------------------------------------------

- just in case it's useful that I use kerberos ----------------
klist
kinit
---------------------------------------------------------------

- the end ------------------------------------------------------
cd .ssl
openssl pkcs12 -export -in cert.pem -inkey key.pem -out smime.pkcs12
openssl pkcs12 -export -in cert.pem -inkey key.pem -rand /dev/random
-out smime.pkcs12
openssl pkcs12 -export -in cert.pem -inkey key.pem -out smime.pkcs12
openssl pkcs12 -export -in cert.pem -inkey key.pem -rand /dev/random
-out smime.pkcs12
openssl pkcs12 -export -in cert.pem -inkey key.pem -out smime.pkcs12
---------------------------------------------------------------

********************************************************************

* as super user ****************************************************

openssl pkcs12 -export -in cert.pem -inkey key.pem -out smime.pkcs12

********************************************************************

In the beginning, I revoked my initial certificate and made a new one,
thinking maybe there was something wrong because Evolution failed to
import the certificate - the problem being that I didn't understand the
pkcs12 format. The super user command was the one that finally seemed
to work. The last few wease1 commands didn't work quite right - with
the -rand option, the program would just hang and without it I would get
the following: "unable to write 'random state'". As super user I didn't
get this warning, and the smime.pkcs12 file was actually created with
wease1 ownership.

Thanks for any help and please let me know if I can provide any more
information.

Todd

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]