Confusion over PKCS contents when converting to PEM format

Posted on 2010-09-09
Last Modified: 2013-11-19
I have been provided a PKCS12 (P12) file for use on a Windows platform when accessing a SOAP server.
However, I need to convert the P12 file into PEM format so that I can access the same SOAP server from PHP on a Linux box.
I did this a while ago but can't get it to work again so doing back to basics.

Using openssl on the Linux box, I am able to convert the P12 to PEM
 openssl -in mycert.p12 -out mycert.pem

The resultant PEM file contains three sections, a private key, the CA certificate (vendor specific) and the Site certificate (coded up using BASE 64 I think)

However using the resultant PEM file in the PHP code, I am disallowed access to the SOAP soap data calls.  

When running openssl on the P12, I am asked for the passcode, presumably for the private key.  I provide that, no problem.
However, I am then prompted for a passcode for the resultant PEM file, which I make the same as the original P12 passcode.
The PEM file is then created.

I presume the private key (that was generated for me by the vendor) is paired with a public key on the SOAP server.
Therefore, if I am generating a new private key in the PEM file (due to the provision of a PEM passcode), surely the private key in the PEM file is not going to be the same as the original one provided by the vendor.
This is where I think the problem is in the PHP call.

My question is, is there a way to split the P12 file into the three parts, ca, cert and key, but retaining the private key in the original P12 file.
I am sure I did a year ago using some tools with putty, but can't seem to do that now for some reason.

Could someone confirm my understanding is correct regarding the private key 'regeneration' and ideally point me in the right direction for generating the PEM file without data loss/change.

Question by:brothertom
LVL 31

Accepted Solution

Paranormastic earned 400 total points
ID: 33642161
Sounds like you are trying to use a client authentication certificate?  i.e. passing the certificate for authentication instead of a password?  If that's the case then the private key should be on your box and have nothing to do with the private key of the SOAP server.  The SOAP server will have its own web server SSL styled certificate and its own private key that you don't need to worry about - you would just get the public version of the cert and validate that.

Side note - PEM and Base64 are almost synonymous and tend to be used interchangeably.  Basically non-BER/DER.

I'm assuming you had openssl pkcs12 -in file.p12 -out file.pem

The private key is the same in both the .p12 and the .pem files.  Would it be easier to split them into different files maybe?
openssl pkcs12 -in %SiteName%.p12 -nocerts -out %SiteName%_key.pem
openssl pkcs12 -in %SiteName%.p12 -nokeys -out %SiteName%_cert.pem
openssl pkcs12 -in %SiteName%.p12 -cacerts -out CA_Certs.pem

The vendor that you are connecting to issued you the certificate, correct?  Then they should hopefully know that they need to have their internal root chain installed on the web server, but I wouldn't make assumptions even for larger companies that all their admins are familiar with this stuff (hopefully they do).

I'm not sure how your code is written, but SSL handshakes usually have a little bit of a delay built in even with fast connections - make sure your code is waiting for the handshake to complete before continuing, or at least pause for 35 seconds to allow for the handshake to occur.
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 100 total points
ID: 33644849
you should just be able to cut and paste - each section in a pem file is bounded by markers like -------- begin private key --------- and you can just copy each block.

if you want to do it with a gui tool though, use to import the p12, and export each bit into a separate file that way to suit your needs :)

Author Comment

ID: 33657982
Just to wrap up this question.

First, thanks for the response - it pointed me in the right direction.

It turned out that the PHP library uses curl under the hood.  When testing with just curl, it was failing too.
However, curl did work with the separate key, cert and cacert files.

In the combined PEM file, we have the following sections
private key | cacert | site cert

I removed the cacert from the combined PEM file, then curl and php call worked fine.

I think the cacert certificate was being used as the site cert and of course did not authenticate.  Removal of the cacert only left the site cert in the PEM file and this worked fine.


Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question