I am playing with openssl 1.0.2a - specifically CMS support for ECC.
As a test I am doing a simple encrypt and decrypt.
I gave an RSA example as a known good working example / sanity test.
The ECC example fails.
Any ideas? TIA.
./openssl version
OpenSSL 1.0.2a 19 Mar 2015
echo -n 12345678123456781234567812345678 > sess.txt # 32 byte plaintext
#RSA works
./openssl genrsa -out rsa.key 2048
./openssl req -x509 -new -key rsa.key -out rsa.crt
./openssl cms -encrypt -in sess.txt -out rsaencsess.bin -outform PEM rsa.crt
./openssl cms -decrypt -in rsaencsess.bin -out rsadecsess.txt -inform PEM -inkey rsa.key
#AOK.
#EC fails
./openssl ecparam -name prime192v1 -genkey -out ecc.key
./openssl req -x509 -new -key ecc.key -out ecc.crt
./openssl cms -encrypt -in sess.txt -out encsess.bin -outform PEM ecc.crt
./openssl cms -decrypt -in encsess.bin -out decsess.txt -inform PEM -inkey ecc.key
Error decrypting CMS structure
error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
OpenSSL's Steve Henson resolved it as follows: "RSA can decrypt without knowing the certificate but currently EC cannot. So try including the option -recip ecc.crt when you decrypt
this now works:
./openssl ecparam -name prime192v1 -genkey -out ecc.key
./openssl req -x509 -new -key ecc.key -out ecc.crt
./openssl cms -encrypt -in sess.txt -out encsess.bin -outform PEM ecc.crt
./openssl cms -decrypt -in encsess.bin -out decsess.txt -inform PEM -inkey ecc.key -recip ecc.crt # NOTE "-recip ecc.crt" is currently required else it won't work!
Related
I have been having trouble configuring tensorflow to use ssl certificates. In run the experiments in my local machine. The tensorflow environment I am using is as specified in tensorflow/serving:1.14.0-gpu Dockerfile.
When calling the command:
tensorflow_model_server --port=9000 --model_config_file=<path_here> --ssl_config_file=tf_ssl.pb
The model loads well, but I get the following error:
E1205 16:16:11.240133400 7 ssl_transport_security.cc:675] Invalid cert chain file.
E1205 16:16:11.240876900 7 ssl_security_connector.cc:276] Handshaker factory creation failed with TSI_INVALID_ARGUMENT.
E1205 16:16:11.240950800 7 server_secure_chttp2.cc:81] {"created":"#1575562571.240923200","description":"Unable to create secure server with credentials of type Ssl.","file":"external/grpc/src/core/ext/transport/chttp2/server/secure/server_secure_chttp2.cc","file_line":63}
The contents of the tf_ssl.pb file are as follows:
server_key: '-----BEGIN RSA PRIVATE KEY-----MIIJKgIBAAKCAgEArq6bpXNgZt5yBoESjIuIcK9gyW+Ur5X4NJX7an93HqByhItCORLn/vHC9ACpfJARFaAPE8f0YLt8tZi+2OJ0PfQ9OQO6qQpwCgHkC2GrOCjGe9FqtdjZnBj6N19wXvXvcyNYJxVdbTUvPR10lKbCk8MaOs0ZU2KLIC3qsSrUBjsRAZXQFIMzPOVZ2UH4j1r2T66ufF0sGeW6mtDOSNZxZfGZ5/Xos1UAt7A8wDKDagRo1HJA1lPAWM9lCSVsmkeFnouu3mXyy8hNDfm3ge2mwReRXKK/4g2qyiAfaU7gopRA5uNgXLvP690cWT25xeQ6+vZLLnmkCIWzZLoqqVpClxhFfVuyxQo0LuJwMTADqUSi3e0qGCW1SmHQqOQpnGlK18JqKrqgIxk03sKaHvcrnqTGaG0yZAjypZ49Ajv23KvsoZd3zb7D904vg/Lo2zXks1KyPHNqx5e3zsmSi310WQLgNCPSuFKNKNknpkmEUn+Ev/DDMO7Xj203ta8YuGVWElmne6IpCGB3JI/Mbeu4EXQpS173mTexgSW4I5rz0/dX9Z6NapjX39v2YZwD2MsVIgdFL5vabM0BQ0AomNvM9d3PrGek0bnKR8/3ak6k07cL56N8yokow4x0HsIQlxZgVmKAJZDVZGZeowOVFqoNBrRCSg2OWLANdS3qttd88SUCAwEAAQKCAgEAiueKGWy/0c09evKUX3JtUr4DButVnrJwptBFFpC5ln8b0U4zoNLp7I8u6XzFSan+C+Y1VxN/vpQYPQdza1/X85QOQxI2EkmcgjiysGJAFu5Ftxv18Ri5IimyfunDn5+Ng08twBZ7LmZGZCDSHYrl2z4f03ZYlzgbTcF1iOB3rWS2xz3sMwOJcPkoE10kXEqG5yIO2hH1CbrmQkmcX8s2bUxLiGrBWilT4r2f8W25lkpfWeBosoXyxCxXOYiq7ZvGIycMLQmAoo9qxpw2Unk6Sv2Et9crIoSftQ8KK2Fvu5iMa42PiO5IDlTLQCOXYEd2py3G5vQPfj9jQcvQNM7zd4WSCHal1nrVcDegMmX3ZIF1sBN4S5ZMDHsWmCv4cdvj+Si0HWzVLrly5DDet2sMx31uF4tjKkPMVZlV8oxGad0d7P36GYoAkAooNwWdeF38k5atdCJw2u1aFFceI8ZC3gv6zXIW1/u7Apdfpk7k7b0KMW4SHz2WDJcsadP+JdkXSO8q7Q+4yToFrtFUswr2vaAzps1N7xko5N9hYB42ohwK5XoNPU7mezNhkS8u0Nx/0LsCaOdQwTUaUsfQQC+eYsAY5xHud/NPlFv0Jin44oKJOKXxNUtfGzu4mC+nwqGevqKzonGFQBkXkvi/fwDrNYa2k0wOFv8uHb5umSXYC4ECggEBAOT3vYwGVkef65tyDpXfb9E1IwdYYGkk0yWh0wfEX7jr6qYc8/WTHe41LjesI5w06Fo+Rkj2v/pE9dRzvCmxVu0MsoXAun0goS7laDCb6+H7B4QxSRS2jh21HQJbTkYx8CJXkKs2Nv3jfP9Yhgjc1oaEGl3Bso/k2/HdRZeZQIa+GvWUV25la3vMn1fFybTG6gSxjVBNACZB1uWmWTtqiCXauT4/Tg8IljsriWjATtE42gJ7q3MZJOr2Qm52dFhuqPdAoNQYvgHzMqyyz+D45EYAL7N5rrgBrvEm3WjuO2ZTJFhDqgU5H1bujdBONJHYMl/pyKhSvYElwCp1+XyLD7ECggEBAMNOJuNDKotihoMCXpShg/JfHQKunnb6da/h1W0FRWRUQGP3RwPWRRBs0r5MTnuIBnqG7hLZiLDozemAl38nLvAHQF5Nbvp/W8SRV0b/ysXnNQzlDLfMb3tDXJA8IJ1LcmIWNs53nQiG5oB7hSOMMr15u5wL804NnqNJECH9oHz7Ahj3XbjeZmHd1ImuQeQ6yWE3PSdVF6IdDzxz69Z9M1J9xMvP93CcUSeIfwI6qsilSXL0bjtk26phBzHTHTHILa95TrQv0xA8CrxcynXZsi2Z4nt0H/1XgMgLPn9wzmmrywCMQLrCoH8OkDj5DcXTb5GP+aVIUuq8iH7XeCN/qbUCggEBAJb7IbsGprgeJM9gu2tqZaJPZqS+SvyqMq068xvJCtG2hwk4SEoj03WzDaHaWbT0Uk7Hh7MvOlI+TNfl5Sqc7NPtLn7yIkbGUGLLFRQQjM97p24szaLh6f5+4f0e1hOFdHJAyX2Mh2CNNGxwJBoN/UvAKl6ujh9CayImpXActybijoZnZeu+5sxAlsXa/3G8RK4JokRUMggIHDtcoLSEP/iuLL52IfPZ1q53u+kd/hsKYP+IKvr/lo91CUMryvZRKgu4SxTwp8JDaqPkWR1hIa1jDBFN6L8fJQuRdChwBy0nH+0v2RoOm7LIJS05lIKjTDxgvVb5EErr6LZXCsdsL1ECggEATwys1MN0zuHcC97DpWkSXOF+fn1rCkEprTy9A9lkUs1/GncVuUnavmEtk3STN5DA/orqhZqipugzn9U6fG7Boslslj7FMoKmBBPHvab+zcddQ5DZ6vLGFKAZMRAFK2VEMMtI95yWZMMlPM/B/bdbOjGxa+GyYt9EXFbQPtHHSY7XNH+64X6y9d2xjuCHLvdUVxLin67jV+xnJFLPHAuk4DijlNLiFiRO/K9UqPRR99BewDaK/2M9PeLz5IjMgj/BrgptfqT0ytdiiQcNs1GfurFUaB+Cayolp9JVQ4PHKCIuklQyRuVLzOF6InU7y9xehg4+P1XcqcIRhTV1HPkpGQKCAQEAt24Uhm66akL9Ak/ib7DuJWl9iDRw911BYqBVNbMtcW0iZMasHtEUk+eM8g9CVfKwVHlHP/fNBL+bkPMcceJ3HYjDRgXZLjbt+16/EG3+N1xd2kPZhRufulVZ2I73PjLFfUNlKmLUXaYR0sNfOP1bmvPCupwnuM699nDQEZOJXJEPgbWvQzfUSz5K8f90eH70bB72Sl7qxSX8CZYI5ATTBUY5MacLkvpnLrs1Xvup9vFyoJ3OnDBP9OAe5e/hH3e7FYT2vV40r4KQqGmPF3MNj4eMmfTUaqcN7eNteoNmJ9YrlBNu486NFmKWkbtGPgNkKAIOv9x95r8X3R/xFObuvQ==-----END RSA PRIVATE KEY-----'
server_cert: '-----BEGIN CERTIFICATE-----MIIFRzCCAy8CAQEwDQYJKoZIhvcNAQEFBQAwaTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlDdXBlcnRpbm8xFDASBgNVBAoMC1lvdXJDb21wYW55MRAwDgYDVQQLDAdZb3VyQXBwMREwDwYDVQQDDAhNeVJvb3RDQTAeFw0xOTExMTUxNzI5MTJaFw0yMDExMTQxNzI5MTJaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJQ3VwZXJ0aW5vMRQwEgYDVQQKDAtZb3VyQ29tcGFueTEQMA4GA1UECwwHWW91ckFwcDESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArq6bpXNgZt5yBoESjIuIcK9gyW+Ur5X4NJX7an93HqByhItCORLn/vHC9ACpfJARFaAPE8f0YLt8tZi+2OJ0PfQ9OQO6qQpwCgHkC2GrOCjGe9FqtdjZnBj6N19wXvXvcyNYJxVdbTUvPR10lKbCk8MaOs0ZU2KLIC3qsSrUBjsRAZXQFIMzPOVZ2UH4j1r2T66ufF0sGeW6mtDOSNZxZfGZ5/Xos1UAt7A8wDKDagRo1HJA1lPAWM9lCSVsmkeFnouu3mXyy8hNDfm3ge2mwReRXKK/4g2qyiAfaU7gopRA5uNgXLvP690cWT25xeQ6+vZLLnmkCIWzZLoqqVpClxhFfVuyxQo0LuJwMTADqUSi3e0qGCW1SmHQqOQpnGlK18JqKrqgIxk03sKaHvcrnqTGaG0yZAjypZ49Ajv23KvsoZd3zb7D904vg/Lo2zXks1KyPHNqx5e3zsmSi310WQLgNCPSuFKNKNknpkmEUn+Ev/DDMO7Xj203ta8YuGVWElmne6IpCGB3JI/Mbeu4EXQpS173mTexgSW4I5rz0/dX9Z6NapjX39v2YZwD2MsVIgdFL5vabM0BQ0AomNvM9d3PrGek0bnKR8/3ak6k07cL56N8yokow4x0HsIQlxZgVmKAJZDVZGZeowOVFqoNBrRCSg2OWLANdS3qttd88SUCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEAvq5lqXX5AkLssQkndB+weWjHFyUSH5wUjy35qWy5ZQL6AwFzUeGWaqhk0qJtDMn8TA5oF1LpvdG5m8dJNAam4uNGYkSOU8wNyx5TVwFEMU9PyUakjDYCEcRW0N4PuAvn2H4NSd9qnltphVuI6bKepyGaBXLlDpIUvjm+jowXNA3AcGD2YRJmJTy4iuz36QO7lzdSLzNgfRMgkIf+UsX+nnkWXpqVYYomwHgbapbau6B/HuiMR8MdQ7yTi16RFmWhsY96m51GH44xIYBc4Xz4lMSSq3VLd7Jmt/uErFegLTId3u9+8B+TjbHskXpbafUubsoE20IisY8vcnJ0epDND4IXW08lALAcjFgjiAmLtYoyu60Hw1VXk3zZ7BU8NmbRODy4RUP+AFD+vgfT/dSn5cbtJn6Gp/lM0Nr1ZzURcLar18P/HXnOI9/FfsuzCXsl9CVaDiayv7newl8/keDNsEP2DbhpKfZnpamgEnD2HxEEF+TakIuFReB/LKm0Ta0mQesAXTE3V5deoBdIjocbU72ZEsEnsl0+u5o0byU7k0tgJGMessUzNd/YNiaVqWOuwDbwJ3XX1XQveBez0QaKIjkO4atjLYIO2RK/WA1ahND8Mb4dw/xeHWhXyhjk8l3kwE1n23nYwcwBzP7seaT1Cd/IyFUZFXv2+0WmXC35g1g=-----END CERTIFICATE-----'
custom_ca: '-----BEGIN CERTIFICATE-----MIIFTjCCAzYCCQCHSSo4I8t6pTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEjAQBgNVBAcMCUN1cGVydGlubzEUMBIGA1UECgwLWW91ckNvbXBhbnkxEDAOBgNVBAsMB1lvdXJBcHAxETAPBgNVBAMMCE15Um9vdENBMB4XDTE5MTExNTE3MjkxMloXDTIwMTExNDE3MjkxMlowaTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlDdXBlcnRpbm8xFDASBgNVBAoMC1lvdXJDb21wYW55MRAwDgYDVQQLDAdZb3VyQXBwMREwDwYDVQQDDAhNeVJvb3RDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMPo3mS2heonAke575dTq8z8EayyO7XjUkC/ny00CWkE/z+A60qqm9HDCV1762FUsJwVlX1tdrMmx1WfIhLvQmTlYi+KrWIRRdOO5sSd/tN5QNkVg/Wy74csy1yPIPHRvJJdzN9HlgJ+2Za4a0GCueHYU17+nlowz5b0gpzcChe6uKeuEtfUlKh2ECjFwu+ggXFbOr0Yh5i26JGxfGTbENo/sBZBon6bvjTEsW/IuBppWLboVE+kfgOS9zODuKmfWOUfmjikzx0dZfNClyfXn9HL3uQwxgJQ9FkaNz8X186tYbQa/oLjO33EdQsVGOMjEuIf/Bz16JKite9lq4UdPVy/tEXsZ3EzEh7T0KAoqQsQSyRcrcpi9GWYMRW1VtaWirWgKIQBzhsuvPDjxjdKWpkLrc5Cr3TCiTcPrDq/Dpn+7qUg7pjzApx8EsujZEh1fmnnjtYr90pYY2y746o5QqmQtCiuNGezIsyCF2xhDOrvhJNSZ94Y0i4DUiMpT4UZEV3J+RVyvAPYXpSrLlvIATbanSWqGDrpeV5mSKl8mKi4SdCErsP9B/9Py9JoH0dg45Ap0oEE3i3cei1loDQ9Q6LSWdL13K8q+Q5Pobt7m3ZJ/FbHbfCCDrdShpUsEOzwv3E6y9q7cCB45VYee5p3YGW2KT+G+vz61sH+UeaM/d4rAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAFiblbJaxNhNvCtzOTloGGAl+mJ5/BmwIrdVxPJDvEHQYqH6QOCi6FWK1qJZxkuuLLOK+7nL7pwqaIv7Gcs8rUcE/n5KLsquAmfcWwKgoa+3Tmv4ZRSu9tzC1zuHMAzdf1klrj4tAL8HCMbHe4PIZEGV0/aDrNz0Xvct6LNgYKLE0hZi+Hg3ahNILyDmPtTGMhYL0itS3I/3Y6Ae0K5n2fJMdzOttZV5LMrg698Dbj9nNdT/NCDH7X5QeaTY0q646xM5v5AoJKXQdTvsCGGEMdaU+QvAC6vpdEY+aN8OLPZ5mkAgcdlbGEhQ4jtWfaBvNDJAar7zdHHbfJwLihbzHyAqzrJ8C4SvAZVkECS6x7tL3mZrPF+N4TF986W7+ii/XOZPcfr8X2KaTV3dwDVYHe6cDAdAgw0lPrrT1acldnmDaF6tiyqdxH8NCIQv8WH3bF2PyCPrPAljB3Oh+B6muvwlGBXsHu0hZE+o8BnFak5zUDbZnLuJEZq7AP/BBYgx6iVZxtPPNuwcJQTRMTxTCq+8TE2R73AX9iQwKFy/NAkjj6ieuaxTSaSZ4VnuJO0CFy3KyTPVgB/e+H6pMOkAYti1OavPjPQCK9NYMczo6mLp2FgA/77FJhfvLFdpubKqX7MGc8D7hh9xk8iQErFXK+sl0i6lwqgDgYNJykHscj2f-----END CERTIFICATE-----'
client_verify: false
And those keys were created with the following script:
echo Generate CA key:
openssl genrsa -passout pass:1111 -des3 -out ca.key 4096
echo Generate CA certificate:
openssl req -passin pass:1111 -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=US/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=MyRootCA"
echo Generate server key:
openssl genrsa -passout pass:1111 -des3 -out server.key 4096
echo Generate server signing request:
openssl req -passin pass:1111 -new -key server.key -out server.csr -subj "/C=US/ST=CA/L=Cupertino/O=YourCompany/OU=YourApp/CN=localhost"
echo Self-sign server certificate:
openssl x509 -req -passin pass:1111 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
echo Remove passphrase from server key:
openssl rsa -passin pass:1111 -in server.key -out server.key
I really would like to know if the problem consists in the way that I have been creating the certificates, or if it is due to an incorrect format of the tf_ssl.pb file.
Try to concatenate certs/keys lines with \n in tf_ssl.pb, e.g.:
server_cert: '-----BEGIN CERTIFICATE-----\n< CERT >\n-----END CERTIFICATE-----'
This question already has answers here:
How to generate a self-signed SSL certificate using OpenSSL? [closed]
(23 answers)
Closed 6 years ago.
Trying to convert .pem file to .der file using below command.
openssl x509 -in public_key.pem -out cert.der -outform DER
getting below error
unable to load certificate
31833:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSS
L098/OpenSSL098-52.30.1/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFIC
ATE
I have generated RSA private/public keys using below.
openssl genrsa -out private_key.pem 2048
openssl rsa -pubout -in private_key.pem -out public_key.pem
You are creating a RSA key pair. And you are trying to convert the public key into DER format.
openssl x509 command requires public key inside the X.509 container.
Try this command to create the Private Key and Public Cert.
Create a self signed CA Cert:
openssl genrsa -out CAkey.pem 2048
openssl req -new -x509 -key CAkey.pem -out cacert.pem -days 1095
Now create another cert which is signed by the CA created above
openssl genrsa -out serverkey.pem 2048
openssl req -new -key serverkey.pem -out server.csr
openssl x509 -req -days 1000 -in server.csr -CA cacert.pem -CAkey CAkey.pem -out server.pem -set_serial 01
Later convert the public cert in PEM to DER format.
openssl x509 -in server.pem -out server.der -outform DER
I issued the following commands to create a signature for a file (linux kernel) :
openssl req -newkey rsa -keyout codesign.key -out codesign.req
openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt
openssl cms -sign -binary -noattr -in vmlinuz -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER -out vmlinuz.sig
The ca.cnf file is for my own private CA infrastructure and it has digitalSignature key usage extension and the codeSigning extended key usage extension enalbed.
How can i verify that the vmlinuz.sig is the signature of the vmlinuz ??
A certificate is generated using the following openssl command :
openssl req -new -x509 -keyout server.key.pem -out server.crt.pem -config /etc/ssl/openssl.cnf -extensions cust_const
The corresponding CSR is generated using the command:
openssl x509 -x509toreq -in server.crt.pem -signkey server.key.pem -out server.csr -extensions cust_const
The conf file (openssl.cnf) has the below mentioned entry.
[ cust_const ]
basicConstraints = CA:FALSE
The problem is that the generated CSR doesn't include basicConstraints extension.
How can basicConstraints be included into the CSR when we already have a certificate with basicConstraints in it?
when you want to create a CSR to be signed by other CA he will "make" you CA as well ( e.g. root will sign intermediate as CA with depthLen=1 , where intermediate will sign endPoint as CA=FALSE ... )
first you need to understand what do you want to do (root / intermediate / Endpoint)
if you are root create extensions file (look for openssl default for help...)
below short list command to help you get started :
create root ca certificate
openssl genrsa -des3 -out rootca.key 2048
openssl rsa -in rootca.key -out rootca.key.insecure
openssl req -key rootca.key.insecure -new -x509 -days 3650 -extensions v3_ca -out rootca.crt
openssl x509 -text -in rootca.crt
NOTE:
it uses the default extensions file: /usr/lib/ssl/openssl.cnf (or /etc/ssl/openssl.cnf)
create intermediate certificate
openssl genrsa -des3 -out intermediate.key 2048
openssl rsa -in intermediate.key -out intermediate.key.insecure
openssl req -new -key intermediate.key.insecure -out intermediate.csr
NOTE: you might need these commands before the next command 'openssl ca'.
mkdir demoCA
touch demoCA/index.txt
echo 1122334455667788 > demoCA/serial
openssl ca -extensions v3_ca -days 3650 -outdir . -batch -cert rootca.crt -keyfile rootca.key.insecure -in intermediate.csr -out intermediate.crt
NOTE: after run 'openssl ca' you can remove the demoCA folder
rm -rf demoCA
openssl x509 -text -in intermediate.crt
openssl verify -CAfile rootca.crt intermediate.crt
create server/client certificate
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key.insecure
openssl req -new -key server.key.insecure -out server.csr
openssl x509 -req -days 3650 -CAcreateserial -CA intermediate.crt -CAkey intermediate.key.insecure -in server.csr -out server.crt
openssl x509 -text -in server.crt
I'm creating my certificates like this:
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -key rootCA.key -sha512 -days 36501 -out rootCA.pem \
-extensions v3_req
openssl genrsa -out client1.key 2048
openssl req -new -key client1.key -sha512 -days 36500 -out client1.csr \
-extensions v3_req
openssl x509 -req -days 36500 -CA rootCA.pem -CAkey rootCA.key \
-CAcreateserial -CAserial serial -in client1.csr -out client1.pem
openssl verify -verbose -CAfile rootCA.pem client1.pem
openssl pkcs12 -export -in client1.pem -inkey client1.key -out client1.p12 -name "client1"
I want the .p12 certificate to use sha512 algorithmn. I thought about adding the option -sha512 to the convertion (last line) but it seems like pkcs12 doesn't got this option. Any ideas?
PKCS#12 supports the following encryption algorithms for private key encryption.
128 bit RC4 with SHA1
40 bit RC4 with SHA1
3 key triple DES with SHA1 (168 bits)
2 key triple DES with SHA1 (112 bits)
128 bit RC2 with SHA1
40 bit RC2 with SHA1
3 key triple DES is used by default so no need to give -des3 if you prefer it.
You can output some info from the generated pkcs12 file with the following command:
openssl pkcs12 -in client1.p12 -noout -info
As a side note, when you generate the x509 client cert you need to give -sha512 argument if you want to use sha-512 hashing function.
Verify whether sha512 hash function was actually used:
openssl x509 -in client1.pem -noout -text
If not, then recreate it with -sha512
openssl x509 -sha512 -req -days 36500 -CA rootCA.pem -CAkey rootCA.key \
-CAcreateserial -CAserial serial -in client1.csr -out client1.pem