Re: What is the output format of `openssl pkcs12`? How can I make it output a PKCS#1 private key?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of James Fisher
> Sent: Friday, December 01, 2017 14:39

Haven't seen any other replies to this yet. I don't have time to verify any of the below right now, so this is just off the top of my head and may well be wrong.

> I have a `Certificates.p12` file that I wish to convert to a `certificates.pem` containing an unencrypted private key in
> PKCS#1 format. I have previously been able to do this by running:
>
>    openssl pkcs12 -in Certificates.p12 -out certificates.pem -nodes -clcerts

> The resulting `certificates.pem` file has a `PRIVATE KEY` PEM block, as expected. However, the library I'm using does not
> understand this PEM block, because it expects it to be a PKCS#1 private key....
>
> The bad private key block in my `certificates.pem` does not have this PKCS#1 structure!

I'd guess it's the OpenSSL / SSLeay key structure, as used by e.g. "openssl rsa". See the note here:
https://wiki.openssl.org/index.php/Manual:Rsa(1)

> I need a stronger guarantee that the private key PEM block is in PKCS#1 format.

I don't think OpenSSL is going to make you that guarantee.

> The strange thing is that `openssl rsa` understands the strange format of the "bad" private key, and can convert it to
> the right PKCS#1 structure with:
>
>    openssl rsa -in badprivatekey.pem -out goodprivatekey.pem

Hmm. Maybe "openssl rsa" was changed at some point to output PKCS#1, but "openssl pkcs12" is still using the SSLeay format?

> What is the output format of `openssl pkcs12`? Specifically what is the format of its private key block? How do I make
> `openssl pkcs12` output a correct PKCS#1 private key?

I'd write a script that uses openssl pkcs12, splits the file on PEM delimiters, and then reencodes the key using openssl rsa. Any competent scripting language should be able to do that; you even do it with Windows cmd. You've already found that procedure works, so why boil the ocean?

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus 



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux