Hello,
I have isolated the problem to the private key that seems to be
incorrectly generated. When I take my self-created certificate and my
self-created RSA key and try to convert them to PKCS#12, the following
error occurs:
[EMAIL PROTECTED] kunz]$ openssl pkcs12 -export -in testcert.pem -inkey
testkey.pem -out test.p12
Error loading private key
22864:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too
long:asn1_lib.c:140:
22864:error:0D080065:asn1 encoding routines:d2i_ASN1_INTEGER:bad object
header:a_int.c:204:
22864:error:0D09D082:asn1 encoding
routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:117:
22864:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1
lib:d2i_pr.c:89:
22864:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:291:
The portion of my C code that generates the key and adds it to the
certificate request looks like this (readers of the O'Reilly OpenSSL
book will find this strangely familiar):
keypair = RSA_generate_key(1024, RSA_3, NULL, NULL);
if (!(RSA_check_key(keypair)))
int_error("Error with keypair!");
pkey = EVP_PKEY_new();
if (!(EVP_PKEY_set1_RSA(pkey, keypair)))
int_error("Error setting key to RSA");
if (!(req = X509_REQ_new ()))
int_error("Error creating new request");
X509_REQ_set_pubkey (req, pkey);
After all is said and done, the private key is written to the PEM file:
if (!(PEM_write_PrivateKey(fp, pkey, NULL,NULL,0,0,NULL)))
int_error ("Error writing private key");
We're not encrypting the key because the resulting proxy certificate
chain is used for single-sign-on purposes in a Grid environment. We do
need the key because we need to be able to delegate new proxy
certificates based on the one that has just been generated.
However, since the private key and certificate are basically throwaway
items that are regenerated for each job submission, I feel no pain
showing both to you. Impersonate me if you want, but do it quickly ;)
-----BEGIN CERTIFICATE-----
MIICGzCCAcWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBWMRMwEQYDVQQKEwpHZXJt
YW5HcmlkMRQwEgYDVQQLEwtVbmlIYW5ub3ZlcjEZMBcGA1UEAxMQQ2hyaXN0b3Bo
ZXIgS3VuejEOMAwGA1UEAxMFcHJveHkwHhcNMDcwNTEwMDg0MzQ5WhcNMDcwNTEw
MjA0MzQ5WjBmMRMwEQYDVQQKEwpHZXJtYW5HcmlkMRQwEgYDVQQLEwtVbmlIYW5u
b3ZlcjEZMBcGA1UEAxMQQ2hyaXN0b3BoZXIgS3VuejEOMAwGA1UEAxMFcHJveHkx
DjAMBgNVBAMTBXByb3h5MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCR6a8b
EHwnIxfOS3SXw30rrnYf07iwqC1oEkwZyyfHvfEZnIR9EH60hJ6FJghYvm6YNrp6
+qQotYBg9lQln+L7PySYL+f6KeEfCkymD1owqHbqKLvoDEhvRoiWioiU0YX2+zGh
5MpN8DWhKbs4xeJnydHKvvMbZcXKBwwVcXiHqQIBA6MsMCowDgYDVR0PAQH/BAQD
AgSwMBgGDCsGAQQBgY1dZAMCAQQIZm9vCmZvbwowDQYJKoZIhvcNAQEFBQADQQAm
DzWVnPzJ8lwLL2ti5nZ4PzOYp+EZnROMemOaDJ/iX1X7YZ/kR8WaGr2NA+vzZhPL
tp9fv6d7FQjjGOYHJ0b/
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIGKAgEAAoGBAJHprxsQfCcjF85LdJfDfSuudh/TuLCoLWgSTBnLJ8e98RmchH0Q
frSEnoUmCFi+bpg2unr6pCi1gGD2VCWf4vs/JJgv5/op4R8KTKYPWjCoduoou+gM
SG9GiJaKiJTRhfb7MaHkyk3wNaEpuzjF4mfJ0cq+8xtlxcoHDBVxeIepAgED
-----END RSA PRIVATE KEY-----
The key is somehow wrong, but how? And why?
Regards,
--ck
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
