Enhancement request: make 'pkcs12' support -inform and -outform.
On Mon, Mar 13, 2017 at 9:26 AM, Gary L Peskin <ga...@firstech.com> wrote: > Thanks VERY much Michael. That did the trick. This was a homegrown CA > cert and I needed it to sign a certificate request for testing purposes. > > > > I didn’t realize that the openssl pkcs12 utility didn’t support PEM > encoding for input. I was a little confused I guess by the documentation > which shows PEM encoding for “-in filename” but I see now that that’s for > when exporting a PKCS#12 file, not for parsing one. > > > > Thanks again for clearing this up. It’s weird that MS supports this input > format but openssl does not. I thought openssl could do EVERYTHING. 😊 > > > > Thanks, > > Gary > > > > *From:* openssl-users [mailto:openssl-users-boun...@openssl.org] *On > Behalf Of *Michael Wojcik > *Sent:* Monday, March 13, 2017 8:58 AM > > *To:* openssl-users@openssl.org > *Subject:* Re: [openssl-users] Cannot read exported PKCS12 cert and > private key > > > > I'll assume you mean you exported it "from a mainframe system" using RACF. > RACF has half a dozen export formats for certificates and keys; they're not > all supported by OpenSSL. > > > > In particular (and despite the PEM delimiters), I suspect what you have > here is a PKCS#12 file in PEM format. The openssl pkcs12 utility doesn't > support PEM encoding, because that's not normally done. RACF will do it, > though, just to be difficult. > > > > openssl asn1parse -in *file* -inform pem shows you have valid ASN.1 data, > with a big ol' blob at offset 26; adding -strparse 26 shows encrypted data. > So yes, looks like PKCS#12. > > > > So, try this: > > 1. Edit the file and remove the PEM delimiters ("---- BEGIN CERTIFICATE > ----" and "----- END CERTIFICATE ----"). > > 2. Convert the data from Base64 to binary: > openssl base64 -d -in *file* -out *file.der* > > 3. Unpack it: > > openssl pkcs12 -in *file*.der -nokeys -out *file*-cert.pem > > openssl pkcs12 -in *file*.der -nocerts -out *file*-key.pem > > > > Note the final openssl command will prompt you for the password to encrypt > the key file with; if you don't want your private key encrypted, you can > also specify -nodes. > > > > You can use openssl pkcs12 just once, without the -nokeys / -nocerts > options, but that will put your certificate and key in the same file, which > is generally not what you want with OpenSSL. > > > > Of course, you haven't told us what you're trying to do, so I'm just > guessing. > > > > Also, I can't verify this, because I don't have the import password for > your PKCS#12 file. > > > > > > Michael Wojcik > Distinguished Engineer, Micro Focus > > > > > > > > *From:* openssl-users [mailto:openssl-users-boun...@openssl.org > <openssl-users-boun...@openssl.org>] *On Behalf Of *Gary L Peskin > *Sent:* Monday, March 13, 2017 08:39 > *To:* openssl-users@openssl.org > *Subject:* Re: [openssl-users] Cannot read exported PKCS12 cert and > private key > > > > My original message accidently included an attachment. Please ignore the > attachment. That was not related to this issue. > > > > Thanks, > > Gary > > > > *From:* Gary L Peskin [mailto:ga...@firstech.com <ga...@firstech.com>] > *Sent:* Monday, March 13, 2017 2:28 AM > *To:* 'openssl-users@openssl.org' <openssl-users@openssl.org> > *Subject:* Cannot read exported PKCS12 cert and private key > > > > Hello all > > > > I exported a certificate and corresponding private key in base 64 encoded > DER format from a mainframe system and FTP’d it to my Windows desktop. > > > > I tried to read it using OpenSSL 1.0.2.k and 1.1.0d 32-bit and 64-bit on > Windows with > > > > openssl pkcs12 -in mycert.p12 -noout > > > > But I get the following messages: > > > > 15956:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong > tag:.\crypto\asn1\tasn_dec.c:1199: > > 15956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 > error:.\crypto\asn1\tasn_dec.c:374:Type=PKCS12 > > > > I’m able to import this with the private key into the Windows certificate > store with no issues. > > > > Can someone please advise as to what I’m doing wrong? > > > > Thanks, > > Gary > > > > PS Here is the file: > > > > -----BEGIN CERTIFICATE----- > > MIIKCAIBAzCCCcQGCSqGSIb3DQEHAaCCCbUEggmxMIIJrTCCBE8GCSqGSIb3DQEH > > BqCCBEAwggQ8AgEAMIIENQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIjdBS > > +TZF+xQCAgP5gIIECNtJIUg23ab7AXi33MKueO03S1pUkHCQk+kByNK/6f1FgEvu > > XRqhniR3mdyzeMVBCrCBSx3GhZlpLcW/d6OAd3z8hbXjvw5OC5OLavemfRNtsi+R > > q9LggkcWT2oCszc2nglKzHYaFnkG80vwxLwUXmROL+UK4ZlYmqp46EjuNAEo/yqQ > > yEwgia3iP84wiZRfY9kBJMq9yUm+LvowO/1E9v/ycgE6IWe1CrThQzrD6Vm9LaTy > > 0oZqAbTbzbedZwGsuWZoedw2FtmRijkH5EbRNRpTrUUO/qQMO19v5IKtd4kUAWea > > dpYrwn1kkD2aInKKsjycCFtGopXPbmrqj2cm335cESN4XePBHQuzaywHgd0WjU5O > > ++UM+B/5Kpx3af53E412pGAcgnPH/ZQKMa5Zkp73pcFmViLEC7Tn9eNB2iNUfX9p > > rV3RNRnrEPZlD1MuYEkmBIWA5czUiDKrpyYA1fmrSsFthFMhD5fTVoDMSTBmNXPz > > 5B8HYW4+aDbo7N2a+BtFNcbMqYJqYwVL7xE2rL6nUedMyN2uKeZfOnLLQuYoUCg7 > > iYO5k7D/jQNsviyZg022Nzwy4agdPBKqok8oanQge8/pr3NeMrNDDKVyWy8ZBVBv > > KGi3qaX45ejJxP8XaJxxw88+KOc1OvAMhWhAHlHqpw9d7OiAP1oCV+vRuYnD5N9a > > YyLspoKy1nk+Htl71QQ4GYCRRGXMl7YsxtRrUSOAZa2+V/5h6ljUsTsib3VhO0eL > > /jf+BlBxhpWw1J9L0r6sFMYvVS3AsqfqnBLJUFLxeQxYvVsV0Gpx8BonpZACQC91 > > DB4oV0l6whqtAQ4dJMJEk9nNnP0NYsVceKybF5NvgL3lzALw/Ezv8K7Y69FJaM35 > > LrT9JlGSt/BJ0oXp4wxqH4UbHikhGpSCteh7k3ZQkbE4fokVhH9lYkMXqBRXqXlI > > nV9b7hR26NeJY0C7a9VyNXtzIVsP+JiBhDzc7GDafIF99fUHPVfqh15CPnTb5liZ > > A6QlYw1aVvyhS8ST4I117kALKWUdl9xhe+ui0IFCEQY/mNuQ8O13nlcx+DvGtPxc > > WCUG0VpP6AkE9Mkd67CghF6sFh/8FqdE1jU2Asj+iCZVU/s0ngH3hAXwMVUwOW9S > > voxYParz1b0sF7vgrhLteHOZ03TEra7rh7OiOVUCOE6CACG1qV8QXDvpkZp2mGTx > > 5T7ob8nNF8XQWhIHjULVdKdOBuMh/4dOrHTuU5cFosR29mbzAZDDi0myuzTv37GJ > > OgyiX0XXvwn5jCmAoaE0ji1fgxrWUs8yVYYHOj3IyQwzU+FydfKtlnhh8ZxHKDBo > > 8wPqrEAzTXT49bsxvy3cYxUp4Dd1G2ymkoTZonEi7Vir0kN7qjCCBVYGCSqGSIb3 > > DQEHAaCCBUcEggVDMIIFPzCCBTsGCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZI > > hvcNAQwBAzAOBAh2oqSgVyE4cwICA/EEggTInCkEbWknH/Vojqzmn1jIPRGb7dG+ > > egxS5YDtk14LxnQuwACTQef2wQnKlosYbfH8dJVIvXRYB19MXroGpd5KJA8Dftqa > > dWFVAcDIrzV/ZS252aita0fKOVeqjKWo7TkA9jnwDeekAcK+1R5ioIcfXPLJDSUX > > gdEaza88oQ+g+34+B2o+mnTPT/PM/o1n6cifVRURn2jMASwiB/cwLn58UZibCSgL > > h3CrcKamWi8AF3eJ2rkpPuK41s8SfqZ1ByNEFSgnsX5UQzJpn8FoBPBOmFnR8FTr > > XNwtT7GcJJuWDSnf+On2PI2LYT6XAhNeCkfMwdnUa6N1YV2Okelmae4J21sldQlw > > ATZFiuigyPMFF1X3wUfdvZTwQGC17YFTN+OIYF9/62XTiZUEJ6y0I3nRvAxpaRHS > > VVyh2KA89e5Llxv+bArgA6brykRHFk5I7e7krrflPoQJ0o1oKhb8DshnxAk65v/H > > xTPLq9gac81AY8rWnrTCZcO+inCan/IlOKDXnVCUfZATtAOOIQ6Mf9KwuAeyE9xu > > 4dUO0vF5juFU6hK8SR//apf0JF+zejq5wnEhc1o/sWVpKQkakYayJ+4Hnlx+G6Ra > > bJ3ZYQv4U/kUx0Q43qvvwhx0qdZ79BUpqPTxLeBzwVG6q5ys8eZY988YcIg11NY9 > > +qC4cFGBsbMuWSispichDN5wEJ9C9UrdKRGsAztz0j1GTiJcXPnBH+vTeULh7Spx > > GmLbJWyj3tg+QaefDPo4aaIpZCZV0BFSy41fgoBB+rZ45wNgRiDuDuHue2WY28PC > > dGrAuXzQTUeEUYqN2zL2DhiYD/6/Y+/BCUS/kO0w3x0J7ityoSlyVJ+cf84FYmtB > > zmPIqgjDZS/NGC0OWgUBWxzspADETmwpZDCz8MJHK99nbAcYz3AybW6307NCJTKp > > gPfH6RyTrDzoijIweHUeU2pANpDjbp53UKV5/WyEvbjvy9maf1Jze60zS7EFgZ/n > > ZEe+eQbSY5SGtTWCB3mMbOTFvDH0QKGbfj6EX2Z+P+RZEeU/xzMOejcBbOO7XpgV > > +Uryt+NgcocTtg/5YjVkAdMeVz9A/XdGydAy7hE2FwFI1hJTl/aI4ZaAKV34xH2r > > J4/VstlG8ongv9zMNaS4Xl1n3wk6W3oAUmqWdoYYyDsocIBl1he1oP588Capa7OL > > NLYDl3llQXbyah1A//xJsH5M8KiB0MlJ0qSSp0U7LXmxDP3dw3kcR9XgOX835Bpi > > NlOPQDfzYZyKN6sIGDcuxwQPdOg2EQZxI3W5xp+oHTM/yTuqo/5vpOIlMdwqfQ/R > > HGLVyyQ0yO3oIMxiE56jSnrhjj/H/bJJAMMUBXI6pi18JCv24cTjVsXGjsf4jH7g > > 9uGmoecX/Sx77Sx+814aO0Qkm0WzadLagKoz1nOV1hmeSan1nFnXkE94VqIJ9YTV > > qnLrY0JYjpI2ywkW4wCscjVMIxkAfhifc31v4LWUnTMO0Y+xqO89v1hKbSYkZYYs > > psrxnomXJq/RqjfZBhF3f+0aTNxpvlJnGOjnlT0qX1yHBOr+bmkcTIhL7pKA+qK1 > > fZD8834wTLrRcFiPD7pX6/zglMEG4PUf1RoDC0+3Ud8qa2SqfyYZeFm8+9yFsFnZ > > RYFkMTowIwYJKoZIhvcNAQkUMRYeFABDAEEAQwBUAEUAUwBUACAAQwBBMBMGCSqG > > SIb3DQEJFTEGBAQAAAABMDswHzAHBgUrDgMCGgQUoiKIky5oqgCxt5DnJxWNQvZ1 > > WecEFDabnXfA8sLdfwIXx9AexvOOS0gpAgID+w== > > -----END CERTIFICATE----- > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users