Kyle, Thanks for the response. Just to clarify a bit, our proprietary code is simply a wrapper around the third party libraries, which are SSLPlus/BSAFE. As far as I know they should be generating/storing the private key in a standards compliant way.
The first 2 lines of the private key are: MIICmDAaBgkqhkiG9w0BBQMwDQQIgeyJNiNcE90CAQUEggJ4arTMz0VmFuBiCw3P 5LHhLjmOKpdTdby6Dy9BP34zrwL/7yKR+lt3cor+SzhH4vGedhD4SQafw4iM7+1j Can you confirm that my basic understanding as described in my first email is essentially correct or am I out in left field someplace? Bob -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kyle Hamilton Sent: Wednesday, February 11, 2009 3:09 PM To: [email protected] Subject: Re: Generating a PKCS#12 file The problem appears to be how your private key is stored, more than anything. What are the two lines following "BEGIN ENCRYPTED PRIVATE KEY" in your sslinf.key file? (This is one reason that standards exist, so that different things can (ostensibly) use the file formats. However, not everything adheres to the standards the way it's supposed to.) Without knowing more details on how your proprietary code generated/encrypted the key (or even what third-party library you used), it's pretty much impossible to figure out what's going wrong. -Kyle H On Wed, Feb 11, 2009 at 11:26 AM, Bob Barnes <[email protected]> wrote: > Hi, first post and I will confess right up front that I'm far from an > expert on SSL/cryptography. > > I'm trying to use OpenSSL to create a PKCS12 Version 3 file for import > into IBM's Digital Certificate Manager. I used our own proprietary > code (which uses a third party library for encryption) to generate a > CSR, submitted it to a CA and received back the certificate, which I > stored in a file called sslinf.pem. I can verify the contents of the > certificate by using the openssl x509 command as follows: > > openssl x509 -inform PEM -in sslinf.pem -text > > This is where the mist begins to descend;-) The sslinf.pem file is I > believe, PEM Base64 encoded since the contents are wrapped in > -----BEGIN CERTIFICATE-----/-----END CERTIFICATE-----, although it > isn't clear to me whether the base64 encoded data is BER, DER or > something else. The key file, sslinf.key appears to be PKCS#8, since > the syntax is -----BEGIN ENCRYPTED PRIVATE KEY-----/-----END ENCRYPTED > PRIVATE KEY----- and has been encrypted with a password. > > My understanding is that at this point I should be able to use the > openssl > pkcs12 command to create a PKCS#12 file suitable for import into IBM's > DCM by doing the following: > > openssl pkcs12 -export -out sslinf.p12 -in sslinf.pem -inkey > sslinf.key -name "My certificate" > > What I get is: > > Loading 'screen' into random state - done Enter pass phrase for > sslinf.key: > > I enter the password and get: > > unable to load private key > > At that point I was thinking that perhaps the sslinf.key file was not > really > PKCS#8 so I tried: > > openssl pkcs8 -inform PEM -outform PEM -in sslinf.key -out pkcs8.key > Enter Password: > > The result is the following: > > Error decrypting key > 3144:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad > decrypt:.\crypto\evp\evp_enc.c > :330: > 3144:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 > cipherfinal error:.\crypto\pkcs12\p12_de > cr.c:97: > 3144:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe > crypt error:.\crypto\pkcs12\p > 12_decr.c:123: > > So now I'm thinking maybe it's not PKCS#8 so I tried: > openssl pkcs8 -in sslinf.key -topk8 -out pkcs8.key Enter pass phrase > for sslinf.key: > > and get: > > unable to load key > > BTW, this is OpenSSL 0.9.8j 07 Jan 2009 running on Windows XP. Can > someone enlighten me? I can honestly say that in over 30 years of > writing code I've never come across anything that's closer to black magic than this stuff. > > Bob > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
