RE: How to split a pfx file into cert and key?

[Dr. Matthias St. Pierre]

It’s the passwort which protects the p12 file. If you were given a ‘PIN’ for 
your pfx file, try that.
OpenSSL calls it ‘import passwort’, because it is importing from p12 format and 
exporting to
pem format.

Two remarks about those three commands:

If you omit the  `-nodes` argument in the first command, OpenSSL will ask you 
for another
passwort to encrypt the private key, which I’d recommend if it’s an important 
key.
The third command is only necessary, if you omitted `-nodes` in the first step, 
because
otherwise the key already is unencrypted and has no passphrase.
1.  Run the following command to export the private key: openssl pkcs12 -in 
certname.pfx -nocerts -out key.pem -nodes
2.  Run the following command to export the certificate: openssl pkcs12 -in 
certname.pfx -nokeys -out cert.pem
3.  Run the following command to remove the passphrase from the private 
key: openssl rsa -in key.pem -out server.key
HTH,
Matthias




From: openssl-users  On Behalf Of Michael 
Leone
Sent: Thursday, February 13, 2020 9:34 PM
To: openssl-users@openssl.org
Subject: How to split a pfx file into cert and key?

I received a pfx file from one our techs. A pfx file is a cert and key, all in 
one binary file. He needs me to split it out into the cert and the key, so I 
can create a new request from that key, and then sign a new cert for him.

(no, I don't know why he can't just create a new request. And I would revoke 
the old cert, except that I am unsure of the details he used in naming it, so I 
don't know what to revoke .. So I am stuck trying to see if I can help the guy, 
by creating a new request from the private key, presuming I can extract the 
private key ...)

Anyways, I found this set of commands

Extracting Certificate and Private Key Files from a .pfx 
File
https://wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File


  1.  Note: the *.pfx file is in PKCS#12 format and includes both the 
certificate and the private key.
2.  Run the following command to export the private key: openssl pkcs12 -in 
certname.pfx -nocerts -out key.pem -nodes
3.  Run the following command to export the certificate: openssl pkcs12 -in 
certname.pfx -nokeys -out cert.pem
4.  Run the following command to remove the passphrase from the private 
key: openssl rsa -in key.pem -out server.key

But I'm asked for an "Import password" ..

$ sudo openssl pkcs12 -in requests/DCTRNPS001_cert.pfx -nocerts -out 
DCTRNPS001_key.pem -nodes
Enter Import Password:

And I have no idea what an "import" password is. It's not the password for the 
private key, so I don't know what it is.

Pointers, anyone?

--

Mike. Leone, >

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: 

This space reserved for future witticisms ...

How to split a pfx file into cert and key?

[Michael Leone]

I received a pfx file from one our techs. A pfx file is a cert and key, all
in one binary file. He needs me to split it out into the cert and the key,
so I can create a new request from that key, and then sign a new cert for
him.

(no, I don't know why he can't just create a new request. And I would
revoke the old cert, except that I am unsure of the details he used in
naming it, so I don't know what to revoke .. So I am stuck trying to see if
I can help the guy, by creating a new request from the private key,
presuming I can extract the private key ...)

Anyways, I found this set of commands

Extracting Certificate and Private Key Files from a .pfx File

https://wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File



   1. Note: the *.pfx file is in PKCS#12 format and includes both the
   certificate and the private key.
   2. Run the following command to export the private key: openssl pkcs12
   -in certname.pfx -nocerts -out key.pem -nodes
   3. Run the following command to export the certificate: openssl pkcs12
   -in certname.pfx -nokeys -out cert.pem
   4. Run the following command to remove the passphrase from the private
   key: openssl rsa -in key.pem -out server.key


But I'm asked for an "Import password" ..

$ sudo openssl pkcs12 -in requests/DCTRNPS001_cert.pfx -nocerts -out
DCTRNPS001_key.pem -nodes
Enter Import Password:

And I have no idea what an "import" password is. It's not the password for
the private key, so I don't know what it is.

Pointers, anyone?

-- 

Mike. Leone, 

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: 

This space reserved for future witticisms ...

Re: Fails on verifying signature - RSA_padding_check_PKCS1_type_1:invalid padding

[Blumenthal, Uri - 0553 - MITLL]

If you generated a keypair in a smartcard, how did you extract the private key 
out of it??? The whole point of a smartcard is to prevent that from being 
possible.

 

So, like Ken suggested, I’ve no idea where the private key you posted was 
coming from – but reasonably sure it has no relation to what’s in the smartcard.

 

To use keys on the smartcard, you need libp11 package, something like (my 
test-script uses RSA-PSS, but that doesn’t matter – adjust the OpenSSL 
parameters):

 

$ pkcs11-rsa-pss-sign-demo2

This is not a CAC

Generating ephemeral file /tmp/derive.20560.text to test RSA-PSS signature...

 

openssl rand -engine rdrand -hex -out /tmp/derive.20560.text 5120

engine "rdrand" set.

 

Signing file /tmp/derive.20560.text...

openssl dgst -engine pkcs11 -keyform engine -sign 
"pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -sha384 -sigopt 
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out /tmp/derive.20560.text.sig 
/tmp/derive.20560.text

engine "pkcs11" set.

Enter PKCS#11 token PIN for :

Signature for /tmp/derive.20560.text is stored in /tmp/derive.20560.text.sig

 

Verifying signature:

openssl dgst -engine pkcs11 -keyform engine -verify 
"pkcs11:manufacturer=piv_II;object=SIGN%20pubkey;type=public" -sha384 -sigopt 
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature 
/tmp/derive.20560.text.sig  /tmp/derive.20560.text

engine "pkcs11" set.

Verified OK

 

$

 

IMHO, it is a bad idea to use “rsautl” here – better to follow my example 
above. But if you must – here it is:

 

$ openssl rand -hex -out /tmp/t.text 24

$ openssl rsautl -engine pkcs11 -keyform engine -sign -inkey 
"pkcs11:manufacturer=piv_II;object=SIGN%20key;type=private" -in /tmp/t.text 
-out /tmp/t.text.sig

engine "pkcs11" set.

Enter PKCS#11 token PIN for Blumenthal, Uri (UR20980):

$ openssl rsautl -engine pkcs11 -keyform engine -pubin -verify -inkey 
"pkcs11:manufacturer=piv_II;object=SIGN%20pubkey;type=public" -in 
/tmp/t.text.sig 

engine "pkcs11" set.

c0e78791e0eb900eb36436da9cd4dcf85619c61a486e4b03

$ cat /tmp/t.text

c0e78791e0eb900eb36436da9cd4dcf85619c61a486e4b03

$

 

 

From: openssl-users  on behalf of Pedro 
Lopes 
Date: Thursday, February 13, 2020 at 12:40 PM
To: openssl-users 
Subject: Fails on verifying signature - RSA_padding_check_PKCS1_type_1:invalid 
padding

 

Hello, 

 

I'm generating a key pair in a smartcard (as a session object), then I convert 
both keys to RSA openssl objects.

 

Then I save both into different files.

I tried use these keys to sign and verify (private encrypts and public 
decrypts).

When I try to verify the signature, fails with 
RSA_padding_check_PKCS1_type_1:invalid padding.

 

I run following commands:
echo "test" > "test.txt"
openssl rsautl -sign -in test.txt -inkey privKey.pem -out sig
openssl rsautl -verify -in sig -inkey pubKeyp8.pem -pubin

 

Below pub and priv key:

 

-BEGIN RSA PRIVATE KEY-
MIICXAIBAAKBgQDsCXvs8rmEDP+NuB4mCvztondC+yfzy6DYswE6jvSJdgZe8PAh
kNagyoWsCNGqNEqpQmXY1Ufmxh4tdInod/KyT4uZ8vpu+yhqujRlwill+T9JCtA+
DnUSn0QiOV7OVFRMkleGW0ADr1LUp+wRe4aS/xxoc5GAc7UhAy7VZyj6jQIDAQAB
AoGBALWREhgSGqy+hvKQN/jRqQBvYkhPBMufzwoCoKZYAzmeZYYw1rcrQD6Nq0fL
vOSttuT+o3OplNarfdk/dToy0qfnDcNqmY3XTQbhn5SG/R8Ye5qFmyP/lZuN4NYI
TGiPO6Dt7y6IUp2inhAUkWcqMlr/5y2Kg6/Mh5CtghuhGriBAkEA+xht1GA7gc/N
pfam97iwlj6EBQUk8sX1UjSHWy5vH6RHNW0w1hDq9PrBYTT8mFuDMKA3kNdTw3JZ
2vTce4QELQJBAPClwe40HA9RKHfn5RjEFvvf0rt4/4LU3TAnmWZRuF+KU2JoxSs8
Ue+jx82PeqyH4KAD0tTboJBFt5PJLDz86+ECQHoiydmR7aAY+kkODu1UMuECC6l9
dRl53PhdgLGDhp33hIOiVyzpEcCT8FheM7fQW6HdbOnRM3dQOhDdJhoWfwkCQH+g
GTLAliUVcLXu2VSCIoJgWP2uFSyIwenZBoT6UCLzVHe7gt4ENpw2Ky/8qR25Tkru
3DChbg01vD93kKujo2ECQFQH9eMd1jr8K+/AZKdVUU0Nd3aSq3se+g25bTLBPt7k
x0yYAdd3XrfAys55ujSFEwFL9eGzNWXrBN9S2/yS8kU=
-END RSA PRIVATE KEY-

 

-BEGIN RSA PUBLIC KEY-
MIGHAoGBAOwJe+zyuYQM/424HiYK/O2id0L7J/PLoNizATqO9Il2Bl7w8CGQ1qDK
hawI0ao0SqlCZdjVR+bGHi10ieh38rJPi5ny+m77KGq6NGXCKWX5P0kK0D4OdRKf
RCI5Xs5UVEySV4ZbQAOvUtSn7BF7hpL/HGhzkYBztSEDLtVnKPqNAgEB
-END RSA PUBLIC KEY-

 

-BEGIN PUBLIC KEY-
MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDsCXvs8rmEDP+NuB4mCvztondC
+yfzy6DYswE6jvSJdgZe8PAhkNagyoWsCNGqNEqpQmXY1Ufmxh4tdInod/KyT4uZ
8vpu+yhqujRlwill+T9JCtA+DnUSn0QiOV7OVFRMkleGW0ADr1LUp+wRe4aS/xxo
c5GAc7UhAy7VZyj6jQIBAQ==
-END PUBLIC KEY-

 

Could you please help me with this?
Thanks in advance.

-- 

Regards, 

Pedro Lopes



smime.p7s
Description: S/MIME cryptographic signature

Re: Fails on verifying signature - RSA_padding_check_PKCS1_type_1:invalid padding

[Ken Goldman]

On 2/13/2020 12:40 PM, Pedro Lopes wrote:
When I try to verify the signature, fails 
with RSA_padding_check_PKCS1_type_1:invalid padding.


That error typically means that the verification public key does
does not match the signing private key.

Fails on verifying signature - RSA_padding_check_PKCS1_type_1:invalid padding

[Pedro Lopes]

Hello,

I'm generating a key pair in a smartcard (as a session object), then I
convert both keys to RSA openssl objects.

Then I save both into different files.
I tried use these keys to sign and verify (private encrypts and public
decrypts).
When I try to verify the signature, fails
with RSA_padding_check_PKCS1_type_1:invalid padding.

I run following commands:


*echo "test" > "test.txt"openssl rsautl -sign -in test.txt -inkey
privKey.pem -out sigopenssl rsautl -verify -in sig -inkey pubKeyp8.pem
-pubin*

Below pub and priv key:

-BEGIN RSA PRIVATE KEY-
MIICXAIBAAKBgQDsCXvs8rmEDP+NuB4mCvztondC+yfzy6DYswE6jvSJdgZe8PAh
kNagyoWsCNGqNEqpQmXY1Ufmxh4tdInod/KyT4uZ8vpu+yhqujRlwill+T9JCtA+
DnUSn0QiOV7OVFRMkleGW0ADr1LUp+wRe4aS/xxoc5GAc7UhAy7VZyj6jQIDAQAB
AoGBALWREhgSGqy+hvKQN/jRqQBvYkhPBMufzwoCoKZYAzmeZYYw1rcrQD6Nq0fL
vOSttuT+o3OplNarfdk/dToy0qfnDcNqmY3XTQbhn5SG/R8Ye5qFmyP/lZuN4NYI
TGiPO6Dt7y6IUp2inhAUkWcqMlr/5y2Kg6/Mh5CtghuhGriBAkEA+xht1GA7gc/N
pfam97iwlj6EBQUk8sX1UjSHWy5vH6RHNW0w1hDq9PrBYTT8mFuDMKA3kNdTw3JZ
2vTce4QELQJBAPClwe40HA9RKHfn5RjEFvvf0rt4/4LU3TAnmWZRuF+KU2JoxSs8
Ue+jx82PeqyH4KAD0tTboJBFt5PJLDz86+ECQHoiydmR7aAY+kkODu1UMuECC6l9
dRl53PhdgLGDhp33hIOiVyzpEcCT8FheM7fQW6HdbOnRM3dQOhDdJhoWfwkCQH+g
GTLAliUVcLXu2VSCIoJgWP2uFSyIwenZBoT6UCLzVHe7gt4ENpw2Ky/8qR25Tkru
3DChbg01vD93kKujo2ECQFQH9eMd1jr8K+/AZKdVUU0Nd3aSq3se+g25bTLBPt7k
x0yYAdd3XrfAys55ujSFEwFL9eGzNWXrBN9S2/yS8kU=
-END RSA PRIVATE KEY-

-BEGIN RSA PUBLIC KEY-
MIGHAoGBAOwJe+zyuYQM/424HiYK/O2id0L7J/PLoNizATqO9Il2Bl7w8CGQ1qDK
hawI0ao0SqlCZdjVR+bGHi10ieh38rJPi5ny+m77KGq6NGXCKWX5P0kK0D4OdRKf
RCI5Xs5UVEySV4ZbQAOvUtSn7BF7hpL/HGhzkYBztSEDLtVnKPqNAgEB
-END RSA PUBLIC KEY-

-BEGIN PUBLIC KEY-
MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDsCXvs8rmEDP+NuB4mCvztondC
+yfzy6DYswE6jvSJdgZe8PAhkNagyoWsCNGqNEqpQmXY1Ufmxh4tdInod/KyT4uZ
8vpu+yhqujRlwill+T9JCtA+DnUSn0QiOV7OVFRMkleGW0ADr1LUp+wRe4aS/xxo
c5GAc7UhAy7VZyj6jQIBAQ==
-END PUBLIC KEY-

Could you please help me with this?
Thanks in advance.
-- 
Regards,
Pedro Lopes

RE: Questions about signing an intermediate CA

[Michael Wojcik]

> From: Michael Leone [mailto:tur...@mike-leone.com]
> Sent: Wednesday, February 12, 2020 16:09
>
> On Wed, Feb 12, 2020 at 4:19 PM Michael Wojcik
>  wrote:
> >
> > the infamous "The OSI of a New Generation" presentation
>
> I'm not sure how "infamous" it is, as I've never heard of it, even in
> passing. :-)

Well, infamous in certain circles. I should have looked it up and cited it 
property. It's part 2a of Peter Gutmann's "godzilla crypto tutorial":

https://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html

At a mere 973 slides, it's a breezy introduction to Cryptography as It is Used. 
Somewhat old now (I'm not sure when Gutmann first published it), but there's 
still a lot of good background there.

--
Michael Wojcik
Distinguished Engineer, Micro Focus