This question already has answers here:
How to generate a self-signed SSL certificate using OpenSSL? [closed]
(23 answers)
Closed 6 years ago.
Trying to convert .pem file to .der file using below command.
openssl x509 -in public_key.pem -out cert.der -outform DER
getting below error
unable to load certificate
31833:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSS
L098/OpenSSL098-52.30.1/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFIC
ATE
I have generated RSA private/public keys using below.
openssl genrsa -out private_key.pem 2048
openssl rsa -pubout -in private_key.pem -out public_key.pem
You are creating a RSA key pair. And you are trying to convert the public key into DER format.
openssl x509 command requires public key inside the X.509 container.
Try this command to create the Private Key and Public Cert.
Create a self signed CA Cert:
openssl genrsa -out CAkey.pem 2048
openssl req -new -x509 -key CAkey.pem -out cacert.pem -days 1095
Now create another cert which is signed by the CA created above
openssl genrsa -out serverkey.pem 2048
openssl req -new -key serverkey.pem -out server.csr
openssl x509 -req -days 1000 -in server.csr -CA cacert.pem -CAkey CAkey.pem -out server.pem -set_serial 01
Later convert the public cert in PEM to DER format.
openssl x509 -in server.pem -out server.der -outform DER
Related
I'm having a hard time creating a p12 key. Here are the steps I did:
1: openssl genrsa -out priv.key 4096
2: openssl req -new -sha256 -key priv.key -out priv.csr
3: Converted the csr into a priv.pem file from a website specially for this (payment gateway).
And here I'm stuck. According to this website following code can be used:
openssl pkcs12 -export -out Cert.p12 -in cert.pem -inkey key.pem -passin pass:root -passout pass:root
The problem for me is: I only have one pem key but the above requires two. So can I with only my pem key now convert it into a p12 key with password?
I issued the following commands to create a signature for a file (linux kernel) :
openssl req -newkey rsa -keyout codesign.key -out codesign.req
openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt
openssl cms -sign -binary -noattr -in vmlinuz -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER -out vmlinuz.sig
The ca.cnf file is for my own private CA infrastructure and it has digitalSignature key usage extension and the codeSigning extended key usage extension enalbed.
How can i verify that the vmlinuz.sig is the signature of the vmlinuz ??
I am playing with openssl 1.0.2a - specifically CMS support for ECC.
As a test I am doing a simple encrypt and decrypt.
I gave an RSA example as a known good working example / sanity test.
The ECC example fails.
Any ideas? TIA.
./openssl version
OpenSSL 1.0.2a 19 Mar 2015
echo -n 12345678123456781234567812345678 > sess.txt # 32 byte plaintext
#RSA works
./openssl genrsa -out rsa.key 2048
./openssl req -x509 -new -key rsa.key -out rsa.crt
./openssl cms -encrypt -in sess.txt -out rsaencsess.bin -outform PEM rsa.crt
./openssl cms -decrypt -in rsaencsess.bin -out rsadecsess.txt -inform PEM -inkey rsa.key
#AOK.
#EC fails
./openssl ecparam -name prime192v1 -genkey -out ecc.key
./openssl req -x509 -new -key ecc.key -out ecc.crt
./openssl cms -encrypt -in sess.txt -out encsess.bin -outform PEM ecc.crt
./openssl cms -decrypt -in encsess.bin -out decsess.txt -inform PEM -inkey ecc.key
Error decrypting CMS structure
error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
OpenSSL's Steve Henson resolved it as follows: "RSA can decrypt without knowing the certificate but currently EC cannot. So try including the option -recip ecc.crt when you decrypt
this now works:
./openssl ecparam -name prime192v1 -genkey -out ecc.key
./openssl req -x509 -new -key ecc.key -out ecc.crt
./openssl cms -encrypt -in sess.txt -out encsess.bin -outform PEM ecc.crt
./openssl cms -decrypt -in encsess.bin -out decsess.txt -inform PEM -inkey ecc.key -recip ecc.crt # NOTE "-recip ecc.crt" is currently required else it won't work!
I do have private key(my_ca.key) and public key(my_cert.crt) which is signed by DigiCert. Now I want to create RA(Registration Authority) and sign it by my private key . Here is the way I tried to do that. But when I try to export private and public key as pkcs12 file I have been getting error like this unable to get local issuer certificate getting chain. No idea how to solve this. Here my_cert.crt is extended from DigiCert High Assurance CA-3 and that one extended from DigiCert High Assurance EV Root CA
SSL_SUBJ="/C=LK/ST=Colombo/L=Colombo/O=Nope/OU=mobile/CN=My root"
openssl genrsa -out ra.key 4096
openssl req -new -key ra.key -out ra.csr -subj "$SSL_SUBJ"
openssl x509 -req -days 365 -in ra.csr -CA my_cert.pem -CAkey my_ca.pem - set_serial 76964474 -out ra.crt
openssl rsa -in ra.key -text > ra_private.pem
openssl x509 -in ra.crt -out ra_cert.pem
openssl pkcs12 -export -out ca.p12 -inkey my_ca.pem -in my_cert.pem -name "cacert" -passout pass:password
openssl pkcs12 -export -out ra.p12 -inkey ra_private.pem -in ra_cert.pem - chain -CAfile my_cert.pem -name "racert" -passout pass:password
You usually can't use a certificate issued by a public CA to sign anything but client or server traffic; you won't be able to use it for your RA.
The error message indicates that there is a problem with the intermediate certificates. Make sure that you add both of Digicert's certificates to the my_cert.pem file before exporting it to pkcs12
This is the sequence of commands I tried:
a. Extract an existing certificate key from the store:
keytool -v -importkeystore -srckeystore keystore -srcalias one -destkeystore temppp -deststoretype PKCS12 -srcstorepass passwordd -deststorepass passwordd
b. Extract the private key from the exported certificate:
openssl pkcs12 -in temppp -out csr_private.key -nocerts -nodes -password pass:passwordd
c. Generate csr using extracted key:
openssl req -nodes -sha256 -new -key csr_private.key -out request.csr -subj '/C=IL/ST=Unknown/L=Unknown/O=Bla/OU=Bla/CN=BLAAAA'
d. Generate a self-signed certificate and key:
openssl req -x509 -newkey rsa:2048 -keyout ca_key.pem -nodes -sha512 -days 4096 -subj '/C=IL/ST=Unknown/L=Unknown/O=Bla Bla/OU=BLA/CN=FOOO' -out ca.pem
e. Sign the csr with the self-signed certificate:
openssl x509 -in request.csr -out signed_cert.pem -req -signkey ca_key.pem -days 1001
f. Export the signed certificate and csr key to one p12 file:
openssl pkcs12 -export -in signed_cert.pem -inkey csr_private.key -out file.p12 -name "one"
Result:
No certificate matches private key
What am I missing? Why isn't my last command legitimate?
I planned to do "keytool -importkeystore" file.p12 (that should have been generated in the last step) to replace the "one" privateKeyEntry in "keystore". As suggested in How to import an existing x509 certificate and private key in Java keystore to use in SSL?.
Basically I'm trying to edit that entry to have the same key, but a different certificate.
The fix is to add "-nodes" to the last command (f).
In the second command that key was exported with "-nodes" (no DES encryption), and it should be the same in the last command too.