[openssl] HELP! , PKCS#12 conversion fails!

123 views
Skip to first unread message

Privacy Matter

unread,
Feb 12, 2021, 5:29:15 AM2/12/21
to
Hi,

I'm struggling to convert a certificate and a private key to PKCS#12 format.

I have a Certificate and a Private Key files:
- cert.cer
- key.der

"cert.cer" is a binary file, and can be imported in Windows just with one click.
So, I suppose it should be a certificate in DER binary format.

I also have e PKCS#7 and Base64 X509 versions of this file, obtained using Windows Certificate export feature:
- cert-Base64-X509.cer, probably x509 certificate PEM format, because of the header "-----BEGIN CERTIFICATE-----"
- cert.p7b, PKCS#7 file format, as stated by Windows export dialog


The "key.der" seems to be a PKCS#8 EncryptedPrivateKeyInfo, because it is an ASCII file with "-----BEGIN ENCRYPTED PRIVATE KEY-----" header-.


#### PKCS#12 ERRORS ####


The PKCS#12 conversion command is expected to be:

> openssl pkcs12 -export -inkey key.der -in cert-Base64-X509.cer -out cert.p12

Wich lead to the following errors:

unable to load private key
8024:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:.\crypto\evp\evp_enc.c:563:
8024:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:.\crypto\pkcs12\p12_decr.c:108:
8024:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:.\crypto\pkcs12\p12_decr.c:139:
8024:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:.\crypto\pem\pem_pkey.c:142:
unable to write 'random state'


#### THE CAUSE SEEMS TO BE THE CERTIFICATE ####


The problem seems to be the certificate, not the key.

This because if I replace "key.der" with a fake text file "atextfile.txt" containing "hello openssl", I have this:

> openssl pkcs12 -export -inkey atextfile.txt -in cert-Base64-X509.cer -out cert.p12
unable to load private key
14652:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:697:Expecting: ANY PRIVATE KEY
unable to write 'random state'


But replacing the "cert-Base64-X509.cer" with "atextfile.txt" I got exactly the same errors.


#### ALSO PKCS#7 TO PEM CERTIFICATE TRANSLATION FAILS ####


So, I've attemped get a PEM encoded certificate, translating the PKCS#7 "cert.p7b" with following command:

> openssl pkcs7 -print_certs -in cert.p7b -out cert.pem


But also this command failed due the error:

unable to load PKCS7 object
14544:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:697:Expecting: PKCS7


#### DIFFERENT OPERATIVE SYSTEMS, SAME ERRORS ####


All above on a Windows 7 64bit, and "OpenSSL 1.0.2u 20 Dec 2019", but also executed on Linux platform with "OpenSSL 1.1.0l 10 Sep 2019 (Library: OpenSSL 1.1.0f 25 May 2017)" (the last version availablet on that platform), exactly with the same outcome:

$ openssl pkcs12 -export -inkey key.der -in cert-Base64-X509.cer -out cert.p12
Enter pass phrase for key.der:
unable to load private key
1995617696:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:535:
1995617696:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:63:
1995617696:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:94:
1995617696:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:86:

$ openssl pkcs7 -print_certs -in cert.p7b -out cert.pem
unable to load PKCS7 object
1995900320:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:691:Expecting: PKCS7


#### HELP! ####

What else I can do?
Thanks in adavance to heros who'll save me!


Reply all
Reply to author
Forward
0 new messages