> From: [email protected] On Behalf Of Michal Kuchta > Sent: Thursday, 12 July, 2012 10:04
> I have a certificate and private key file in the encrypted .p12 file > format (I have the password for the file). I need to use it in the > [PHP] function PKCS7_sign, which assumes certificates in standard .pem > format (at least the PHP version which I use). > So ... openssl pkcs12 -in mycert.p12 -out mycert.pem > ... creates the .pem file, after I enter import password and > then password to encrypt key in PEM file (which I suppose does not > need to be the same as import password, but it has no effect whatever > the password is). Note that PHP's interface to OpenSSL is part of PHP, not of OpenSSL. The OpenSSL PKCS7_ functions use internal data formats, not any file format. But your message is complete enough to make a guess. Yes the PEM pw need not be the same as the PKCS12 (import) pw. But it *should* matter to the reader of the PEM key (your PHP). > So I have the PEM file. It contains three certificates and one private > key. The certificates are two from the company that issued the > certificate, my certificate itself and corresponding private key. The > certificates and key are stored in the file in the order described. > But when I want to use the pem file, OpenSSL gives me some weird error > messages, which changes from time to time (let's say randomly, each > try other message). <snip: ... key values mismatch> I'm surprised it changes. The examples at http://php.net/manual/en/function.openssl-pkcs7-sign.php suggest that arg3 is read for "signcert" only and "extracerts" are read from optional arg7. If PHP implements this in the simple/straightforward way by just PEM_read_X509(signcert_file), then your cert must be first or only cert in that file. If you use the same file for "extracerts" it should contain the CA certs but they must not be first in the file. It might be easier to put the CA certs, only, in a separate file. commandline openssl pkcs12 can separate them for you with -clcerts and -cacerts, but since you already have the file it's easy enough to do with any reasonable text editor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
