I was trying to extract the public key with the certificate file that the partner give me in my public key file with the following command:
openssl x509 -pubkey -noout -in [certFile.pem] > [myPubKeyFile.pem]
but it shows me the following error:
x509: Unknown parameter >
x509: Use -help for summary.
error in x509
How can I fix it?
thanks.
Related
I've an certificate and a p12 private key.
I need to check if both match:
$ openssl rsa -modulus -noout -in visor.p12 | openssl md5
unable to load Private Key
139755626676672:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
$ openssl x509 –noout –modulus –in EC_SECPUBLIC.cer | openssl md5
x509: Unknown parameter –noout
x509: Use -help for summary.
(stdin)= d41d8cd98f00b204e9800998ecf8427e
Any ideas?
I have created self-signed SSL certificate using OpenSSL as follow:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
This gave me certificate and private key in .pem file. I need to provide my public key to my clients in .cer or .crt format. Is there any way to get public key in .cer/.crt formats?
What I have already tried:
1. Generating public key in .pem format and trying to convert it to .cer or .crt [Didn't work]
To extract public key in .pem file [worked fine]:
`openssl x509 -pubkey -noout -in signer-cert.pem > signer-public-key-test.pem`
To convert it from .pem for .cer format
openssl x509 -inform PEM -in signer-public-key-test.pem -outform DER -out signer-public-key-test.cer
I get this error:
unable to load certificate
140067363030680:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
2. Converting my certificate to .cer (which I did fine) and trying to export public key using windows certificate export wizard as instructions given here
It didn't work either. I couldn't enable the option to export keys and the final output, when opened in notepad++ was garbage.
So my question is, is there any way to generate the certificate from scratch and have the public key in .cer or .crt file. OR generating the certificate in .pem format and later extracting public keys to .crt or .cer
Any help is deeply appreciated.
Since .cer and .crt usually mean "DER or PEM-DER X.509 certificate" I don't know what you mean by having the public key in that format.
If you mean you want a DER encoded SubjectPublicKeyInfo representing the public key, the second stage of your pipeline would be
openssl asn1parse -noout -out some.file
You can remove the intermediate with
openssl x509 -in signer-cert.pem -noout -pubkey |
openssl asn1parse -noout -out signer-public-key-test.der
(Newline added to remove scrollbar)
Or, skip the certificate middleman altogether:
openssl rsa -in key.pem -pubout -outform der -out signer-public-key-test.der
Seems pretty weird that you want that particular format, though.
I'm trying to convert a JKS cert to PKCS8 for Logstash v5.1.
I found an example here: https://stackoverflow.com/a/656559
keytool -importkeystore -srckeystore foo.jks -destkeystore foo.p12 /
-srcstoretype jks -deststoretype pkcs12
openssl pkcs12 -in foo.p12 -out foo.pem
openssl pkcs12 -in foo.p12 -nocerts -out key.pem
openssl pkcs8 -in key.pem -topk8 -out p8key.pem
But it produces the following error when attempting to run logstash:
ERROR logstash.inputs.beats - Looks like you either have an invalid key or your private key was not in PKCS8 format.
{:exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /ELK/logstash/SSL/p8key.pem}
I also tried to convert to pkcs8 with the -nocrypt flag, and receive this error:
ERROR org.logstash.beats.BeatsHandler - Exception: not an SSL/TLS record
The cause of this error:
ERROR logstash.inputs.beats - Looks like you either have an invalid key or your private key was not in PKCS8 format.
{:exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /ELK/logstash/SSL/p8key.pem}
is because ssl_key_passphrase => "password" was not set in the logstash input.
And this error:
ERROR org.logstash.beats.BeatsHandler - Exception: not an SSL/TLS record
is because non-SSL/TLS traffic was attempting to go through the SSL/TLS port. In this case, the culprit was filebeat.
https://www.elastic.co/guide/en/x-pack/current/security-troubleshooting.html
I have 2 files - CSR.csr and newkey.key, both seem to be in PEM format as follows -
-----BEGIN CERTIFICATE REQUEST-----
MIID....
-----END CERTIFICATE REQUEST-----
-----BEGIN RSA PRIVATE KEY-----
MI...
-----END RSA PRIVATE KEY-----
When I'm trying to read the CSR.csr file, I get the following error :
$ openssl x509 -in CSR.csr -text -noout
unable to load certificate
140518720210760:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE
I read that we get this error when the input file is in DER format, so I tried the following -
$ openssl x509 -inform DER -in CSR.csr -text -noout
but now I get the error -
unable to load certificate
140519053051720:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1320:
140519053051720:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:382:Type=X509
And it seems this error occurs when the input file is already in PEM format and one tries to read it in DER format.
Really confused how to go about it as I'm new to SSL. Please help!
In my case I was trying to read my cer file and was receiving the error stated above
openssl x509 -in CSR.csr -text -noout
unable to load certificate
140518720210760:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE
I had to convert it to a crt file using openssl.
openssl x509 -inform DER -in <certname>.cer -out <certname>.crt
openssl x509 -in <certname>.crt -text
Here's the doc i used. I was able to read it using openssl after that
The problem is not PEM vs. DER but that you are using a certificate request in a place where a certificate is expected. This is clearly shown by the PEM header -----BEGIN CERTIFICATE REQUEST-----.
To show the content of a certificate request use
openssl req -in CSR.csr -text
To show the content of a certificate use
openssl x509 -in CERT.crt -text
This ERROR also happens on certificates that are not "certificate request" emmited to be signed by a CA (non-CSR certificate) but which are x509 regular certificates from Windows PKI in ".cer" format
In this case, following "Norbert" answer is the good way to solve the problem, converting the certificate in ".crt'
After the file is able to be dumped using:
openssl x509 -in YOURCERT.crt -noout -text
or
openssl x509 -in YOURCERT.crt -text
is there a way to convert from a .key file to a .pfx file?
thank you.
EDIT: I only have the .key file but my hosting provider says that I could convert it to .pfx with just that file.
To check if your .key file has everything you need:
#check if file contains a valid certificate:
openssl x509 -text -in file.key
It should print out certificate details. If it prints an error including the text "unable to load certificate", then your file is not sufficient.
#check if file contains a valid key:
openssl rsa -text -in file.key
openssl dsa -text -in file.key
One of the above commands should print out valid key details. The other will give an error with the text "expecting an rsa key" or "expecting a dsa key".
If the error text says "bad decrypt", you have provided an invalid passphrase, or the file is damaged.
If the error text says "Expecting: ANY PRIVATE KEY", then your file is not sufficient.
If you got a key, and one certificate which matches the key (and optionally some other certificates), then you have enough to convert the file to a pfx. Then, as ISW said, it's just a matter of
#convert file containing key and certificate(s) to PKCS#12 pfx file.
openssl pkcs12 -export -out file.pfx -in file.key
and you're done.
You could try this
https://www.sslshopper.com/ssl-converter.html
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
According to the OpenSSL Command-Line HOWTO it should work using
# export mycert.key as PKCS#12 file mycert.pfx
openssl pkcs12 -export -out mycert.pfx -in mycert.key -name "My Certificate"
You can convert your .key file to .pvk using the tool http://www.chilkatsoft.com/p/p_347.asp and then use the instructions on GoDaddy to combine both .scp and .pvk into a .pfk. Just make sure you use a password when generating the .pvk file.