Go Premium for a chance to win a PS4. Enter to Win


Confusion over PKCS contents when converting to PEM format

Posted on 2010-09-09
Medium Priority
Last Modified: 2013-11-19
I have been provided a PKCS12 (P12) file for use on a Windows platform when accessing a SOAP server.
However, I need to convert the P12 file into PEM format so that I can access the same SOAP server from PHP on a Linux box.
I did this a while ago but can't get it to work again so doing back to basics.

Using openssl on the Linux box, I am able to convert the P12 to PEM
 openssl -in mycert.p12 -out mycert.pem

The resultant PEM file contains three sections, a private key, the CA certificate (vendor specific) and the Site certificate (coded up using BASE 64 I think)

However using the resultant PEM file in the PHP code, I am disallowed access to the SOAP soap data calls.  

When running openssl on the P12, I am asked for the passcode, presumably for the private key.  I provide that, no problem.
However, I am then prompted for a passcode for the resultant PEM file, which I make the same as the original P12 passcode.
The PEM file is then created.

I presume the private key (that was generated for me by the vendor) is paired with a public key on the SOAP server.
Therefore, if I am generating a new private key in the PEM file (due to the provision of a PEM passcode), surely the private key in the PEM file is not going to be the same as the original one provided by the vendor.
This is where I think the problem is in the PHP call.

My question is, is there a way to split the P12 file into the three parts, ca, cert and key, but retaining the private key in the original P12 file.
I am sure I did a year ago using some tools with putty, but can't seem to do that now for some reason.

Could someone confirm my understanding is correct regarding the private key 'regeneration' and ideally point me in the right direction for generating the PEM file without data loss/change.

Question by:brothertom
LVL 31

Accepted Solution

Paranormastic earned 1600 total points
ID: 33642161
Sounds like you are trying to use a client authentication certificate?  i.e. passing the certificate for authentication instead of a password?  If that's the case then the private key should be on your box and have nothing to do with the private key of the SOAP server.  The SOAP server will have its own web server SSL styled certificate and its own private key that you don't need to worry about - you would just get the public version of the cert and validate that.

Side note - PEM and Base64 are almost synonymous and tend to be used interchangeably.  Basically non-BER/DER.

I'm assuming you had openssl pkcs12 -in file.p12 -out file.pem

The private key is the same in both the .p12 and the .pem files.  Would it be easier to split them into different files maybe?
openssl pkcs12 -in %SiteName%.p12 -nocerts -out %SiteName%_key.pem
openssl pkcs12 -in %SiteName%.p12 -nokeys -out %SiteName%_cert.pem
openssl pkcs12 -in %SiteName%.p12 -cacerts -out CA_Certs.pem

The vendor that you are connecting to issued you the certificate, correct?  Then they should hopefully know that they need to have their internal root chain installed on the web server, but I wouldn't make assumptions even for larger companies that all their admins are familiar with this stuff (hopefully they do).

I'm not sure how your code is written, but SSL handshakes usually have a little bit of a delay built in even with fast connections - make sure your code is waiting for the handshake to complete before continuing, or at least pause for 35 seconds to allow for the handshake to occur.
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 400 total points
ID: 33644849
you should just be able to cut and paste - each section in a pem file is bounded by markers like -------- begin private key --------- and you can just copy each block.

if you want to do it with a gui tool though, use http://sourceforge.net/projects/xca to import the p12, and export each bit into a separate file that way to suit your needs :)

Author Comment

ID: 33657982
Just to wrap up this question.

First, thanks for the response - it pointed me in the right direction.

It turned out that the PHP library uses curl under the hood.  When testing with just curl, it was failing too.
However, curl did work with the separate key, cert and cacert files.

In the combined PEM file, we have the following sections
private key | cacert | site cert

I removed the cacert from the combined PEM file, then curl and php call worked fine.

I think the cacert certificate was being used as the site cert and of course did not authenticate.  Removal of the cacert only left the site cert in the PEM file and this worked fine.


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question