I was wondering if there is a way to access the pkcs12 command of openssl programmatically.
I intend to access the export functionality of the pkcs12 command using a (any) programming language. My current installation is on Python.
I am aware of the fact that there is a command line interface to pkcs12 but that requires starting a new sub - process which is not feasible for the problem that I have.
This answer points to a related sample code in C :
how to verify a P12 certificate using openssl?
Function and class names should be similar in Python.
In Python, the PyOpenSSL PKCS#12 module should be useful for this.
In Java, you could load the PKCS#12 file directly as a PKCS12 KeyStore and then get the private key. You may also find BouncyCastle's PEMWriter useful to export the keys or certificate.
Related
I am having issues with converting between .P7B to .PFX using a .keystore private key file
It produces the error
unable to load private key 2388:error:0909006C:PEM
when i run the command
openssl pkcs12 -export -out cert.pfx -inkey privatekey.keystore -in cert.cer
please help
According to the Oracle Documentation, a keystore is most likely The proprietary keystore implementation provided by and nothing that openSSL can convert.
As far as I know only java implementations can do this. Here are some tools that might help:
http://portecle.sourceforge.net/
https://keystore-explorer.org/index.html
In all docs, it is mentioned to add .crt and .key to traefik.toml.
In my case, I just have a .p12 file, it is possible to use a .p12 with traefik?
Let me start with differences between formats. Thanks to #sysadmin1138 for great explanation.
PEM - Governed by RFCs, its used preferentially by open-source
software. It can have a variety of extensions (.pem, .key, .cer,
.cert, more)
DER -
The parent format of PEM. It's useful to think of it as a binary
version of the base64-encoded PEM file. Not routinely used very much
outside of Windows.
.pkcs12 .pfx .p12 - Originally defined by RSA in the Public-Key
Cryptography Standards (abbreviated PKCS), the "12" variant was
originally enhanced by Microsoft, and later submitted as RFC 7292.
This is a passworded container format that contains both public and
private certificate pairs. Unlike .pem files, this container is fully
encrypted.
The main info about .p12 - it is fully encrypted and passworded container.
Take a quick look into traefik certificate.go
Package tls use only crypto/tls and crypto/x509.
package tls
import (
"crypto/tls"
"crypto/x509"
...
)
Look at crypto/x509: reading certificates from PKCS12 files github issue:
There was a try to add PKCS12 cert support into crypto/x509 but in the end it was not implemented.
As it was mentioned in comments, right way is to convert .p12.
Here is example hot to achieve it (thank to #mulaz):
openssl pkcs12 -in filename.pfx -nocerts -out filename.key
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out filename.crt
And a source of the same: Tips : Using openssl to extract private key ( .pem file) from .pfx (Personal Information Exchange)
Hope it helps!
I've been using a certificate that's stored on the server in a myserver.pfx file.
However, behavior is not the same in all browsers and some complain on account of, I think, a missing 'intermediate' certificate.
I've downloaded the intermediate certificate from Gandi: GandiStandardSSLCA.pem
Now, my question is, how can I add that intermediate certificate into the pfx file?
Although the server is windows, I'm trying to use openssl on a linux machine to manipulate the certificates, just because that's where I have openssl available. I'm assuming this doesn't matter.
One thing I've tried, is to use openssl to export myserver.pfx to myserver.pem, a text file. Then, with a text editor, I've added the text of GandiStandardSSLCA.pem to myserver.pem in hopes of then converting back to pfx format. However, I couldn't get openssl to do that conversion back to pfx.
Is this possible? If so, at the text editing stage, does it matter if the intermediate certificate text goes at the beginning or the end? Also, would I need to manufacture 'Bag Attributes' somehow?
Or, is the whole operation done in one line with openssl?
The .pfx file can be prepared by exporting the intermediate certificate .pem file with the below command example.
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
Reference:
https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/
I'm am trying to create a very simple WCF client application which will send SOAP messages to a 3rd party service. All the messages must be digitally signed. It's really a proof of concept before I add the code to a larger application.
I have a .cer file containing the certificate and a .pem file containing the private key. What I have been trying to do is load the certificate using the .cer file then fire off a message. But I get the following error "The private key is not present in the X.509 certificate".
The problem, well one of the problems, is that I really know almost nothing about WCF, digital certificates, private keys and all that guff. I've done some reading, I've Googled till I'm blue in the face and I've not got anywhere.
If I open the .cert file there is a section labelled "BEGIN ENCRYPTED PRIVATE KEY" which suggests that the private key is included in the certificate. So, why am I getting a message saying that it is not present? Also, if the private key does need to be added to the certificate how do I do it?
Here basically what I'm doing. It's not my actual code, but it includes all the relevant stuff:
MyWSClient c = new MyWSClient();
c.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(#"pathToFile.cer");
c.SomeValidCall();
How are you creating this cert / key pair? You can combine them into a PKCS#12 certificate using openssl:
openssl pkcs12 -export -in yourcert.crt -inkey yourprivkey.key -out newcert.p12
You may need to play with the input format to get it to work with a .pem private key.
My colleague has found a solution. I don't know why but using a .der file rather than a .cer file solves the problem. This is the command he used to generate the .der file using a certificate, private key and root certificate as.pem files:
openssl pkcs12 -export -in cert.pem -inkey private_key.pem -certfile root_cert.cer -out pkcs12.der
The service I need to connect to has provided me three files and I'm trying to figure out what I need to create the Cert=xxx.PEM file that STUNNEL needs
I have a "keystore.jks" file. Dumping that with keytool says it's a "Private key entry"
I have a "truststore.jks" file. Dumping that says it's a "trusted certificate entry". The alias is "server"
I also have a "xyz.cer" file. That seems to be a X.509 certificate
I've got OPENSSL and a Java program called "KeytoolUI".
Bottom line is I have a bunch of files and tools and with not much knowledge of SSL I feel like I can't see the wood for the trees. Do I need all those files? The existing PEM files I have for other services just have a "Certificate" section and a "RSA Private key" section.
Any advice appreciated. Thanks!
It sounds like your provider has provided your keypair (for client side authentication) as a java keystore, and (I'm guessing) the remote server's public certificate or CA certificate in PEM format.
That's some fairly heavy guesswork, but it's strange that they've sent you a private key if you aren't doing client side auth. (Let's hope they haven't sent you the private key for their server!).
As far as I'm aware, stunnel only uses PEM certificates, so you will need to convert your JKS files into two PEM files (one for the private key, one for the public certificate). One way to do this is to convert the JKS to a PKCS#12 (aka PFX) file using keytool, and then use OpenSSL to convert the PKCS#12 files into PEM private key/certificate files.
Once you have these two files, use them with the key and cert options in stunnel.conf.
For the final (mystery) PEM certificate that you have, I'm going to guess (again) that this is the remote CA, and therefore that you should configure this against the CAfile parameter in stunnel.conf. (If it's appropriate for you to post details here, edit to include output from openssl x509 -in <filename> -text to provide more clues).
No answer I'm afraid. In the end I got the company to just send me a PEM file.
I did find quite an authoritative looking tutorial here
http://www.herongyang.com/crypto/Migrating_Keys_keytool_to_OpenSSL_2.html
The problem is for somebody who doesn't do this everyday getting a bunch of free/open source software from various sources to work together. You can find scripts to do this on various sites, but when you run them, you'll see Java tracebacks, complaints about LIBEAY32.DLL missing ordinals, etc., etc.
If you get the exact right versions of KEYTOOL, OPENSSL, etc.,, installed in the correct place, with the exact right JRE version and all the other DLLs, the PATH correct, and all the stars exactly lined up you'll be fine. Until then it's just an exercise in frustration.
openssl x509 -inform der -outform pem < xyz.cer > xyz.pem