The problem appears to be how your private key is stored, more than anything. What are the two lines following "BEGIN ENCRYPTED PRIVATE KEY" in your sslinf.key file?
(This is one reason that standards exist, so that different things can (ostensibly) use the file formats. However, not everything adheres to the standards the way it's supposed to.) Without knowing more details on how your proprietary code generated/encrypted the key (or even what third-party library you used), it's pretty much impossible to figure out what's going wrong. -Kyle H On Wed, Feb 11, 2009 at 11:26 AM, Bob Barnes <[email protected]> wrote: > Hi, first post and I will confess right up front that I'm far from an expert > on SSL/cryptography. > > I'm trying to use OpenSSL to create a PKCS12 Version 3 file for import into > IBM's Digital Certificate Manager. I used our own proprietary code (which > uses a third party library for encryption) to generate a CSR, submitted it > to a CA and received back the certificate, which I stored in a file called > sslinf.pem. I can verify the contents of the certificate by using the > openssl x509 command as follows: > > openssl x509 -inform PEM -in sslinf.pem -text > > This is where the mist begins to descend;-) The sslinf.pem file is I > believe, PEM Base64 encoded since the contents are wrapped in -----BEGIN > CERTIFICATE-----/-----END CERTIFICATE-----, although it isn't clear to me > whether the base64 encoded data is BER, DER or something else. The key file, > sslinf.key appears to be PKCS#8, since the syntax is -----BEGIN ENCRYPTED > PRIVATE KEY-----/-----END ENCRYPTED PRIVATE KEY----- and has been encrypted > with a password. > > My understanding is that at this point I should be able to use the openssl > pkcs12 command to create a PKCS#12 file suitable for import into IBM's DCM > by doing the following: > > openssl pkcs12 -export -out sslinf.p12 -in sslinf.pem -inkey sslinf.key > -name "My certificate" > > What I get is: > > Loading 'screen' into random state - done > Enter pass phrase for sslinf.key: > > I enter the password and get: > > unable to load private key > > At that point I was thinking that perhaps the sslinf.key file was not really > PKCS#8 so I tried: > > openssl pkcs8 -inform PEM -outform PEM -in sslinf.key -out pkcs8.key > Enter Password: > > The result is the following: > > Error decrypting key > 3144:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad > decrypt:.\crypto\evp\evp_enc.c > :330: > 3144:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal > error:.\crypto\pkcs12\p12_de > cr.c:97: > 3144:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt > error:.\crypto\pkcs12\p > 12_decr.c:123: > > So now I'm thinking maybe it's not PKCS#8 so I tried: > openssl pkcs8 -in sslinf.key -topk8 -out pkcs8.key > Enter pass phrase for sslinf.key: > > and get: > > unable to load key > > BTW, this is OpenSSL 0.9.8j 07 Jan 2009 running on Windows XP. Can someone > enlighten me? I can honestly say that in over 30 years of writing code I've > never come across anything that's closer to black magic than this stuff. > > Bob > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
