Thanks VERY much Michael. That did the trick. This was a homegrown CA cert and I needed it to sign a certificate request for testing purposes. I didn’t realize that the openssl pkcs12 utility didn’t support PEM encoding for input. I was a little confused I guess by the documentation which shows PEM encoding for “-in filename” but I see now that that’s for when exporting a PKCS#12 file, not for parsing one. Thanks again for clearing this up. It’s weird that MS supports this input format but openssl does not. I thought openssl could do EVERYTHING. 😊 Thanks, Gary From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Michael Wojcik I'll assume you mean you exported it "from a mainframe system" using RACF. RACF has half a dozen export formats for certificates and keys; they're not all supported by OpenSSL. In particular (and despite the PEM delimiters), I suspect what you have here is a PKCS#12 file in PEM format. The openssl pkcs12 utility doesn't support PEM encoding, because that's not normally done. RACF will do it, though, just to be difficult. openssl asn1parse -in file -inform pem shows you have valid ASN.1 data, with a big ol' blob at offset 26; adding -strparse 26 shows encrypted data. So yes, looks like PKCS#12. So, try this: 1. Edit the file and remove the PEM delimiters ("---- BEGIN CERTIFICATE ----" and "----- END CERTIFICATE ----"). 2. Convert the data from Base64 to binary: 3. Unpack it: openssl pkcs12 -in file.der -nokeys -out file-cert.pem openssl pkcs12 -in file.der -nocerts -out file-key.pem Note the final openssl command will prompt you for the password to encrypt the key file with; if you don't want your private key encrypted, you can also specify -nodes. You can use openssl pkcs12 just once, without the -nokeys / -nocerts options, but that will put your certificate and key in the same file, which is generally not what you want with OpenSSL. Of course, you haven't told us what you're trying to do, so I'm just guessing. Also, I can't verify this, because I don't have the import password for your PKCS#12 file. Michael Wojcik From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Gary L Peskin My original message accidently included an attachment. Please ignore the attachment. That was not related to this issue. Thanks, Gary From: Gary L Peskin [mailto:garyp@xxxxxxxxxxxx] Hello all I exported a certificate and corresponding private key in base 64 encoded DER format from a mainframe system and FTP’d it to my Windows desktop. I tried to read it using OpenSSL 1.0.2.k and 1.1.0d 32-bit and 64-bit on Windows with openssl pkcs12 -in mycert.p12 -noout But I get the following messages: 15956:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1199: 15956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:374:Type=PKCS12 I’m able to import this with the private key into the Windows certificate store with no issues. Can someone please advise as to what I’m doing wrong? Thanks, Gary PS Here is the file: -----BEGIN CERTIFICATE----- MIIKCAIBAzCCCcQGCSqGSIb3DQEHAaCCCbUEggmxMIIJrTCCBE8GCSqGSIb3DQEH BqCCBEAwggQ8AgEAMIIENQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIjdBS +TZF+xQCAgP5gIIECNtJIUg23ab7AXi33MKueO03S1pUkHCQk+kByNK/6f1FgEvu XRqhniR3mdyzeMVBCrCBSx3GhZlpLcW/d6OAd3z8hbXjvw5OC5OLavemfRNtsi+R q9LggkcWT2oCszc2nglKzHYaFnkG80vwxLwUXmROL+UK4ZlYmqp46EjuNAEo/yqQ yEwgia3iP84wiZRfY9kBJMq9yUm+LvowO/1E9v/ycgE6IWe1CrThQzrD6Vm9LaTy 0oZqAbTbzbedZwGsuWZoedw2FtmRijkH5EbRNRpTrUUO/qQMO19v5IKtd4kUAWea dpYrwn1kkD2aInKKsjycCFtGopXPbmrqj2cm335cESN4XePBHQuzaywHgd0WjU5O ++UM+B/5Kpx3af53E412pGAcgnPH/ZQKMa5Zkp73pcFmViLEC7Tn9eNB2iNUfX9p rV3RNRnrEPZlD1MuYEkmBIWA5czUiDKrpyYA1fmrSsFthFMhD5fTVoDMSTBmNXPz 5B8HYW4+aDbo7N2a+BtFNcbMqYJqYwVL7xE2rL6nUedMyN2uKeZfOnLLQuYoUCg7 iYO5k7D/jQNsviyZg022Nzwy4agdPBKqok8oanQge8/pr3NeMrNDDKVyWy8ZBVBv KGi3qaX45ejJxP8XaJxxw88+KOc1OvAMhWhAHlHqpw9d7OiAP1oCV+vRuYnD5N9a YyLspoKy1nk+Htl71QQ4GYCRRGXMl7YsxtRrUSOAZa2+V/5h6ljUsTsib3VhO0eL /jf+BlBxhpWw1J9L0r6sFMYvVS3AsqfqnBLJUFLxeQxYvVsV0Gpx8BonpZACQC91 DB4oV0l6whqtAQ4dJMJEk9nNnP0NYsVceKybF5NvgL3lzALw/Ezv8K7Y69FJaM35 LrT9JlGSt/BJ0oXp4wxqH4UbHikhGpSCteh7k3ZQkbE4fokVhH9lYkMXqBRXqXlI nV9b7hR26NeJY0C7a9VyNXtzIVsP+JiBhDzc7GDafIF99fUHPVfqh15CPnTb5liZ A6QlYw1aVvyhS8ST4I117kALKWUdl9xhe+ui0IFCEQY/mNuQ8O13nlcx+DvGtPxc WCUG0VpP6AkE9Mkd67CghF6sFh/8FqdE1jU2Asj+iCZVU/s0ngH3hAXwMVUwOW9S voxYParz1b0sF7vgrhLteHOZ03TEra7rh7OiOVUCOE6CACG1qV8QXDvpkZp2mGTx 5T7ob8nNF8XQWhIHjULVdKdOBuMh/4dOrHTuU5cFosR29mbzAZDDi0myuzTv37GJ OgyiX0XXvwn5jCmAoaE0ji1fgxrWUs8yVYYHOj3IyQwzU+FydfKtlnhh8ZxHKDBo 8wPqrEAzTXT49bsxvy3cYxUp4Dd1G2ymkoTZonEi7Vir0kN7qjCCBVYGCSqGSIb3 DQEHAaCCBUcEggVDMIIFPzCCBTsGCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZI hvcNAQwBAzAOBAh2oqSgVyE4cwICA/EEggTInCkEbWknH/Vojqzmn1jIPRGb7dG+ egxS5YDtk14LxnQuwACTQef2wQnKlosYbfH8dJVIvXRYB19MXroGpd5KJA8Dftqa dWFVAcDIrzV/ZS252aita0fKOVeqjKWo7TkA9jnwDeekAcK+1R5ioIcfXPLJDSUX gdEaza88oQ+g+34+B2o+mnTPT/PM/o1n6cifVRURn2jMASwiB/cwLn58UZibCSgL h3CrcKamWi8AF3eJ2rkpPuK41s8SfqZ1ByNEFSgnsX5UQzJpn8FoBPBOmFnR8FTr XNwtT7GcJJuWDSnf+On2PI2LYT6XAhNeCkfMwdnUa6N1YV2Okelmae4J21sldQlw ATZFiuigyPMFF1X3wUfdvZTwQGC17YFTN+OIYF9/62XTiZUEJ6y0I3nRvAxpaRHS VVyh2KA89e5Llxv+bArgA6brykRHFk5I7e7krrflPoQJ0o1oKhb8DshnxAk65v/H xTPLq9gac81AY8rWnrTCZcO+inCan/IlOKDXnVCUfZATtAOOIQ6Mf9KwuAeyE9xu 4dUO0vF5juFU6hK8SR//apf0JF+zejq5wnEhc1o/sWVpKQkakYayJ+4Hnlx+G6Ra bJ3ZYQv4U/kUx0Q43qvvwhx0qdZ79BUpqPTxLeBzwVG6q5ys8eZY988YcIg11NY9 +qC4cFGBsbMuWSispichDN5wEJ9C9UrdKRGsAztz0j1GTiJcXPnBH+vTeULh7Spx GmLbJWyj3tg+QaefDPo4aaIpZCZV0BFSy41fgoBB+rZ45wNgRiDuDuHue2WY28PC dGrAuXzQTUeEUYqN2zL2DhiYD/6/Y+/BCUS/kO0w3x0J7ityoSlyVJ+cf84FYmtB zmPIqgjDZS/NGC0OWgUBWxzspADETmwpZDCz8MJHK99nbAcYz3AybW6307NCJTKp gPfH6RyTrDzoijIweHUeU2pANpDjbp53UKV5/WyEvbjvy9maf1Jze60zS7EFgZ/n ZEe+eQbSY5SGtTWCB3mMbOTFvDH0QKGbfj6EX2Z+P+RZEeU/xzMOejcBbOO7XpgV +Uryt+NgcocTtg/5YjVkAdMeVz9A/XdGydAy7hE2FwFI1hJTl/aI4ZaAKV34xH2r J4/VstlG8ongv9zMNaS4Xl1n3wk6W3oAUmqWdoYYyDsocIBl1he1oP588Capa7OL NLYDl3llQXbyah1A//xJsH5M8KiB0MlJ0qSSp0U7LXmxDP3dw3kcR9XgOX835Bpi NlOPQDfzYZyKN6sIGDcuxwQPdOg2EQZxI3W5xp+oHTM/yTuqo/5vpOIlMdwqfQ/R HGLVyyQ0yO3oIMxiE56jSnrhjj/H/bJJAMMUBXI6pi18JCv24cTjVsXGjsf4jH7g 9uGmoecX/Sx77Sx+814aO0Qkm0WzadLagKoz1nOV1hmeSan1nFnXkE94VqIJ9YTV qnLrY0JYjpI2ywkW4wCscjVMIxkAfhifc31v4LWUnTMO0Y+xqO89v1hKbSYkZYYs psrxnomXJq/RqjfZBhF3f+0aTNxpvlJnGOjnlT0qX1yHBOr+bmkcTIhL7pKA+qK1 fZD8834wTLrRcFiPD7pX6/zglMEG4PUf1RoDC0+3Ud8qa2SqfyYZeFm8+9yFsFnZ RYFkMTowIwYJKoZIhvcNAQkUMRYeFABDAEEAQwBUAEUAUwBUACAAQwBBMBMGCSqG SIb3DQEJFTEGBAQAAAABMDswHzAHBgUrDgMCGgQUoiKIky5oqgCxt5DnJxWNQvZ1 WecEFDabnXfA8sLdfwIXx9AexvOOS0gpAgID+w== -----END CERTIFICATE----- |
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users