Re: PKCS8 question
[EMAIL PROTECTED] wrote: ...At any rate, I can't sign it w/ my openssl-generate CA cert, and I can't convert it using openssl x509. This may seem rather pedandic, but you don't sign things with a cert -- you do so with the private key associated with the public key that's baked into a cert. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS8 question
I've generated a trivial 1024-bit RSA key using RSA's Crypto-J CertReqTool. The tool doesn't offer an opportunity to create the key unencrypted (I don't think), but when it prompted for a password I entered a blank. Tell me what you think. It would be nice to use Crypto-J-generated keys/certs w/ openssl vice versa. -Original Message- From: Dr Stephen Henson [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, March 23, 2000 3:17 AM Subject: Re: PKCS8 question [EMAIL PROTECTED] wrote: Actually, this doesn't work. This is a question I've been wanting an answer to for a while: Whenever you create a CSR w/ a tool like RSA's (or with a server like Netscape that uses RSA's code), the private key is generated as a DER encoded PKCS8 file of 670 bytes (for a 1024 bit RSA key). But you can't ever seem to use this w/ the OpenSSL code (at least as far as I've been able to learn). The code below might work (if it included the x509 option) for a cert, but never for a key. I've tried openssl pkcs8 ... and all its flavors but never found anything to work. Anyone got the solution? Try this for an unencrypted PKCS#8 RSA key: openssl pkcs8 -inform DER -nocrypt -in p8key.der -out key.pem if this doesn't work and you can create a sample private key (nothing important!) then please mail me a copy and I'll look into it. Failing that try doing: openssl asn1parse -inform DER -in p8key.der and posting the result. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] new.key
Re: PKCS8 question
John Byrd wrote: I've generated a trivial 1024-bit RSA key using RSA's Crypto-J CertReqTool. The tool doesn't offer an opportunity to create the key unencrypted (I don't think), but when it prompted for a password I entered a blank. Tell me what you think. It would be nice to use Crypto-J-generated keys/certs w/ openssl vice versa. Doesn't seem to work. Can you try giving it a password? I've known some software use some "magic word" when you use a blank (MSIE 5 with PKCS#12 is one example). Does it give any info about the encryption used? The OID suggests a PKCS#12 RC4 PBE algorithm but they might use something else, I can do a few experiments to see if its a PKCS#5 based PBE algorithm. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS8 question
Well, you know what? I tried making another request/key, this time w/ a password and it worked just fine. Spooky isn't it? One day I'll discover what I was doing wrong on the other attempts, but that knowledge is withheld from me tonight. OK, so now I've got a related issue to solve. The RSA tools generated a cert request in Base64, and I suppose it's in DER encoding. At any rate, I can't sign it w/ my openssl-generate CA cert, and I can't convert it using openssl x509. Is there a solution to this? BTW, here's the request (it's just trivial junk): -BEGIN CERTIFICATE REQUEST- MIIB+DCCAWECAQAwgZ8xCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1Ob3J0aCBDYXJsaW5hMRIwEAYD VQQHEwlDaGFybG90dGUxEjAQBgNVBAoTCURhcmtzcGVsbDEdMBsGA1UECxMURGFya3NwZWxsIFB1 Ymxpc2hpbmcxETAPBgNVBAMTCHRodXJzZGF5MR4wHAYJKoZIhvcNAQkBFg90QGRhcmtzcGVsbC5j b20wgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAoGBALoCo3qzb83Gy1fjQE24Z1X/B9iUYIu4tiLl rDohqJDj0A4DxbTtkXPDjHx5m+1Q52T9LxLDvaV8Y5DSNLBDe1XWbZZW8NYm5fOtJAB6r6ufSLVb R01INtGbGerftP67PMraQAyXekbuFo62B10CbxAlRMA5DGSsgHh2n91KVg1vAgEDoBowGAYJKoZI hvcNAQkHMQsTCWNoYWxsZW5nZTANBgkqhkiG9w0BAQQFAAOBgQCNDdRmUz8Ev6qxygLw1+tTxJju ozqIza7O/qkHC3AmDcbJ3z4544V4DNbvzI4YQ0Vs6o+3gTBEqUslPw1OT04YVKqdPs7/3t42ekft SbivQ4c0L3nNBtTOm++/bHq7EU8cp1gNLm8T/RaODZwoh7yyTWDeRNKntXQXu7gaz6Gl5g== -END CERTIFICATE REQUEST- John [EMAIL PROTECTED] www.darkspell.com Steve Henson wrote: Doesn't seem to work. Can you try giving it a password? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS8 question
Wasn't the blank line at all. When I loaded the request into vi, I saw each line had those nasty 0xD's on the end. Chopped those off and it worked. (The RSA Certificate Engine is Java-based, but seems for some reason to work best on NT. This particular request, however, was generated on Linux.) Ah well, despite feeling stupid for not solving these little problems myself, and a little confused as to why they came up in the first place, I'm pleased to know I'm making progress. Appreciate the patient help w/ this... John [EMAIL PROTECTED] www.darkspell.com Steve Henson wrote: Try deleting the blank line before END CERTIFICATE REQUEST. Hmm OpenSSL should be more tolerant of things like that... __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS8 question
openssl asn1parse -inform DER -in mycert.key 0:d=0 hl=4 l= 666 cons: SEQUENCE 4:d=1 hl=2 l= 27 cons: SEQUENCE 6:d=2 hl=2 l= 10 prim: OBJECT:pbeWithSHA1And128BitRC4 18:d=2 hl=2 l= 13 cons: SEQUENCE 20:d=3 hl=2 l= 8 prim: OCTET STRING 30:d=3 hl=2 l= 1 prim: INTEGER :05 3:d=1 hl=4 l= 633 prim: OCTET STRING The key was generated w/ RSA's Crypto-J CertReqTool and it definitely is encrypted, so using openssl pkcs8 etc. on it didn't work. Failing that try doing: openssl asn1parse -inform DER -in p8key.der and posting the result. Steve. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]