Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Confusion over PKCS contents when converting to PEM format

Posted on 2010-09-09
3
Medium Priority
?
1,044 Views
Last Modified: 2013-11-19
I have been provided a PKCS12 (P12) file for use on a Windows platform when accessing a SOAP server.
However, I need to convert the P12 file into PEM format so that I can access the same SOAP server from PHP on a Linux box.
I did this a while ago but can't get it to work again so doing back to basics.

Using openssl on the Linux box, I am able to convert the P12 to PEM
 openssl -in mycert.p12 -out mycert.pem

The resultant PEM file contains three sections, a private key, the CA certificate (vendor specific) and the Site certificate (coded up using BASE 64 I think)

However using the resultant PEM file in the PHP code, I am disallowed access to the SOAP soap data calls.  

When running openssl on the P12, I am asked for the passcode, presumably for the private key.  I provide that, no problem.
However, I am then prompted for a passcode for the resultant PEM file, which I make the same as the original P12 passcode.
The PEM file is then created.

I presume the private key (that was generated for me by the vendor) is paired with a public key on the SOAP server.
Therefore, if I am generating a new private key in the PEM file (due to the provision of a PEM passcode), surely the private key in the PEM file is not going to be the same as the original one provided by the vendor.
This is where I think the problem is in the PHP call.

My question is, is there a way to split the P12 file into the three parts, ca, cert and key, but retaining the private key in the original P12 file.
I am sure I did a year ago using some tools with putty, but can't seem to do that now for some reason.

Could someone confirm my understanding is correct regarding the private key 'regeneration' and ideally point me in the right direction for generating the PEM file without data loss/change.

Thanks
BT
0
Comment
Question by:brothertom
3 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 1600 total points
ID: 33642161
Sounds like you are trying to use a client authentication certificate?  i.e. passing the certificate for authentication instead of a password?  If that's the case then the private key should be on your box and have nothing to do with the private key of the SOAP server.  The SOAP server will have its own web server SSL styled certificate and its own private key that you don't need to worry about - you would just get the public version of the cert and validate that.

Side note - PEM and Base64 are almost synonymous and tend to be used interchangeably.  Basically non-BER/DER.

I'm assuming you had openssl pkcs12 -in file.p12 -out file.pem

The private key is the same in both the .p12 and the .pem files.  Would it be easier to split them into different files maybe?
openssl pkcs12 -in %SiteName%.p12 -nocerts -out %SiteName%_key.pem
openssl pkcs12 -in %SiteName%.p12 -nokeys -out %SiteName%_cert.pem
openssl pkcs12 -in %SiteName%.p12 -cacerts -out CA_Certs.pem

The vendor that you are connecting to issued you the certificate, correct?  Then they should hopefully know that they need to have their internal root chain installed on the web server, but I wouldn't make assumptions even for larger companies that all their admins are familiar with this stuff (hopefully they do).

I'm not sure how your code is written, but SSL handshakes usually have a little bit of a delay built in even with fast connections - make sure your code is waiting for the handshake to complete before continuing, or at least pause for 35 seconds to allow for the handshake to occur.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 400 total points
ID: 33644849
you should just be able to cut and paste - each section in a pem file is bounded by markers like -------- begin private key --------- and you can just copy each block.

if you want to do it with a gui tool though, use http://sourceforge.net/projects/xca to import the p12, and export each bit into a separate file that way to suit your needs :)
0
 

Author Comment

by:brothertom
ID: 33657982
Just to wrap up this question.


First, thanks for the response - it pointed me in the right direction.

It turned out that the PHP library uses curl under the hood.  When testing with just curl, it was failing too.
However, curl did work with the separate key, cert and cacert files.

In the combined PEM file, we have the following sections
private key | cacert | site cert

I removed the cacert from the combined PEM file, then curl and php call worked fine.

I think the cacert certificate was being used as the site cert and of course did not authenticate.  Removal of the cacert only left the site cert in the PEM file and this worked fine.

Cheers
BT
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Without even knowing it, most of us are using web applications on a daily basis.  In fact, Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We generally confuse these web applications to…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month12 days, 10 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question