How do I convert public key generated by OpenSSL into one NSS would understand? I've generated key with OpenSSL, exported it into pkcs12 format, imported it into NSS database and then extract public key with McCoy utility. And it was different to my great surprise. That is probably the matter of encoding but which one should I use?
Update: Looks like OpenSSL contain NSS key inside so the question is - how do I find out which part of OpenSSL key is also a NSS key?
openssl x509 -in mycert.pem -pubkey
does the job nicely
Related
It seems that both of the following commands (openssl from LibreSSL) produce private keys. Is there a difference between them? If not, why there are two ways to generate the private keys? Thanks.
openssl genrsa -out key.pem 1024
openssl genpkey -algorithm rsa -out privkey.pem -pkeyopt rsa_keygen_bits:1024
Both ways create RSA keys, albeit in different formats. genrsa outputs a RSA key in PKCS#1 format while genpkey outputs a more generic container which can manage different kinds of keys (like ECC). See Differences between “BEGIN RSA PRIVATE KEY” and “BEGIN PRIVATE KEY" for more on this.
Note that the documentation for genpkey explicitly states that this tool should be used in instead of the algorithm specific genrsa:
The use of the genpkey program is encouraged over the algorithm specific utilities because additional algorithm options and ENGINE provided algorithms can be used.
I am having issues with converting between .P7B to .PFX using a .keystore private key file
It produces the error
unable to load private key 2388:error:0909006C:PEM
when i run the command
openssl pkcs12 -export -out cert.pfx -inkey privatekey.keystore -in cert.cer
please help
According to the Oracle Documentation, a keystore is most likely The proprietary keystore implementation provided by and nothing that openSSL can convert.
As far as I know only java implementations can do this. Here are some tools that might help:
http://portecle.sourceforge.net/
https://keystore-explorer.org/index.html
I know there are many commands (openssl) to export pfx to pem BUT I need one thing different: I need to export the public key to a pem file and the private key to another file. Most of the commands and sites (some sites convert the pfx format to anyone I need) will only generate a single *.pem file.
Thanks.
Meta: this isn't a programming or development question, and will likely be closed as offtopic.
If you want the privatekey and the certificate (which contains the publickey but is not the publickey as such), this is a dupe of several questions in other Stacks where it is ontopic, including at least:
https://security.stackexchange.com/questions/3779/how-can-i-export-my-private-key-from-a-java-keytool-keystore/
https://serverfault.com/questions/715827/how-to-generate-key-and-crt-file-from-jks-file-for-httpd-apache-server
https://serverfault.com/questions/806141/is-the-alert-ssl3-read-bytessslv3-alert-bad-certificate-indicating-that-the-s (disclosure: my answer)
Alternatively since PEM files are structured text, you can parse the output of a single pkcs12 command by any number of text-handling programs such as awk:
openssl pkcs12 <p12 | awk '/-BEGIN ENC/,-END ENC/{print >"privkey"} \
/-BEGIN CERT/,/-END CERT/{if(!n)print >"cert"} /-END CERT/{n++}'
# for unencrypted privatekey add -nodes and select BEGIN/END PRIV
If you truly want the publickey, you can create it in algorithm-generic X.509 SubjectPublicKeyInfo form, from either the privatekey or the certificate:
# from the certificate
openssl x509 <certfile -noout -pubkey >pubkey
openssl pkcs12 <p12file -nokeys -clcerts | openssl x509 -noout -pubkey >pubkey
# from the privatekey
openssl pkey <privkey -pubout >pubkey
openssl pkcs12 <p12file -nocerts -nodes | openssl pkey -pubout >pubkey
This format is used by some OpenSSL functions (which calls it PUBKEY to distinguish from the several algorithm-specific PublicKey's), and low-level Java (which calls it X509EncodedKeySpec), and pretty much nothing else. Note systems using the bare public key are often insecure; that's exactly why most systems embed the publickey in a certificate.
If the key is RSA and you want the algorithm-specific (PKCS1 RSAPublicKey) format, in OpenSSL 1.1.0 (and presumably up) then use:
# from the SPKI publickey as above
openssl rsa <RSApub_spki [-inform DER] -pubin -RSAPublicKey_out [-outform DER] >RSApub_pkcs1
# from the privatekey
openssl rsa <RSAprivate [-inform DER] -RSAPublicKey_out [-outform DER] >RSApub_pkcs1
This is used rarely by a few OpenSSL functions and AFAIK nothing else; see caveat above.
I have an SSL certificate I purchased in a .pem, .crt, .der format. I was wondering how I get the key file from the certificate. Is there any way of doing this?
You can extract the public key. This has limited usefulness. Perhaps you are going to use the same key with another tool like SSH or PGP that doesn't use certificates.
With OpenSSL:
openssl x509 -pubkey -noout < cert.pem > pubkey.pem
You can't derive the private key from a certificate. That would make the whole thing quite pointless, wouldn't it?
I am generating two CSRs ( Certificate signing request )
1 . using java keytool i get a .csr format file.
using IBM key management tool i get .arm file.
Though both the files contains the same kind of data ( ie . base64 encoded public key details)
My question "can i rename .csr file to .arm" will it be the same ...
Thanks.
The most common syntax for a CSR is PKCS#10, which can be represented in binary or text formats. A CSR contains a number of pieces of information including: a public key, the subject distinguished name, a signature, and optional attributes. If you can view the files in a text editor and they look similar to this:
-----BEGIN CERTIFICATE REQUEST-----
MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIw
EAYDVQQDEwlsb2NhbGhvc3QxJzAlBgkqhkiG9w0BCQEWGGFkbWluQHNlcnZlci5l
eGFtcGxlLmRvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr1nYY1Qrll1r
uB/FqlCRrr5nvupdIN+3wF7q915tvEQoc74bnu6b8IbbGRMhzdzmvQ4SzFfVEAuM
MuTHeybPq5th7YDrTNizKKxOBnqE2KYuX9X22A1Kh49soJJFg6kPb9MUgiZBiMlv
tb7K3CHfgw5WagWnLl8Lb+ccvKZZl+8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB
AHpoRp5YS55CZpy+wdigQEwjL/wSluvo+WjtpvP0YoBMJu4VMKeZi405R7o8oEwi
PdlrrliKNknFmHKIaCKTLRcU59ScA6ADEIWUzqmUzP5Cs6jrSRo3NKfg1bd09D1K
9rsQkRc9Urv9mRBIsredGnYECNeRaK5R1yzpOowninXC
-----END CERTIFICATE REQUEST-----
then they are text (aka PEM) encoded CSRs. These text encoded CSRs can be decoded and viewed using the following openssl command:
openssl req -in your-csr-filename -noout -text
Renaming the file will not affect openssl's ability to decode them. However, some applications that process CSRs may expect a particular filename extension.
You can inspect your certificate signing request (csr) using OpenSSL with a command such as:
openssl x509 -req -in yourfile.csr -text -noout
I'm assuming that IBM's thingy is a wrapper around openssl so I would expect your .arm to be an x509 certificate going by a different name. Be interested to hear what you get back ...
The answer is yes. The .arm file is the same format as .csr. As you stated, they both contain the same type of data and therefore can simply be renamed. Furthermore, the common types of CSR requests are PKCS#10 and PKCS#12.
#snow60y: You won't see anything with 'openssl x509 -req -in yourfile.csr -text -noout' because there is no private key contained within the CSR and it is not signed, so it is not an x509 yet. A CSR should NEVER contain a private key and therefore, analyzing with that command should fail. You can use that command with a SIGNED cert, but not the request. For the request, use:
openssl req -in your-csr-filename -noout -text