problem with cert-requests

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

problem with cert-requests

Markus Lippeck
hello,
i just subscribed to this list and am not sure whether i probably hit
the wrong list.
If so i apologise ...

but now the question

I need to create a certificate request with encrypted, password
protected  pkcs8-key and a cert request in PEM format.
(that is usually generated from the BEA WL6 console for which the Cert
later is meant - but I'd rather use openssl for it)

What I tried is this:

$OSSL req -newkey rsa:1024 -passout pass:$PW -passin pass:$PW -keyout
~/cert-requests/$CN-key.pw -keyform DER -out ~/cert-requests/$CN-req.csr
-outform PEM -config ~/cert-requests/ossl.conf.tmp

(
and also
encrypt_key = yes
in ossl.conf.tmp
)

However it refuses to give me an DER key but still generates a
pem-format key
(
file www.test.com-key.pw
www.test.com-key.pw:    ascii text
)

I can convert the key to DER-format
openssl rsa -in www.test.com-key.pw -outform DER -passout pass:$PW -out
www.test.de-key.der

but then the Password seems to be gone

Any suggestions?
Thanks in advance

openssl:
OpenSSL 0.9.7e 25 Oct 2004

System:
SunOS (...) 5.8 Generic_117350-26 sun4u sparc SUNW,Sun-Fire-V240

kind regards
Markus



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: problem with cert-requests

Dr. Stephen Henson
On Fri, Feb 24, 2006, Markus Lippeck wrote:

> hello,
> i just subscribed to this list and am not sure whether i probably hit
> the wrong list.
> If so i apologise ...
>
> but now the question
>
> I need to create a certificate request with encrypted, password
> protected  pkcs8-key and a cert request in PEM format.
> (that is usually generated from the BEA WL6 console for which the Cert
> later is meant - but I'd rather use openssl for it)
>

OpenSSL doesn't currently directly output private keys in PKCS#8 format.
Instead it uses a "traditional" format which for RSA keys is PKCS#1
RSAPrivatKeyInfo with optional encryption at the PEM level. That's why you
don't get encryption if you convert to DER.

You can convert the key to PKCS#8 format using the pkcs8 utility:

openssl pcks8 -in key.pem -topk8 -out p8key.pem

that will use the older pbeWithMD5AndDES-CBC by default, which isn't very
secure but it should be compatible with most PKCS#8 implemenationa. If
possible PKCS#5 v2 algorithms should be used instead such as:

openssl pcks8 -in key.pem -topk8 -out p8key.pem -v2 aes-256-cbc

failing that one of the PKCS#12 algorithms can use strong encrypyion. See the
manual page for the various encrypion algorithms that can be used.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]