Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Confusion over PKCS contents when converting to PEM format

Posted on 2010-09-09
Medium Priority
Last Modified: 2013-11-19
I have been provided a PKCS12 (P12) file for use on a Windows platform when accessing a SOAP server.
However, I need to convert the P12 file into PEM format so that I can access the same SOAP server from PHP on a Linux box.
I did this a while ago but can't get it to work again so doing back to basics.

Using openssl on the Linux box, I am able to convert the P12 to PEM
 openssl -in mycert.p12 -out mycert.pem

The resultant PEM file contains three sections, a private key, the CA certificate (vendor specific) and the Site certificate (coded up using BASE 64 I think)

However using the resultant PEM file in the PHP code, I am disallowed access to the SOAP soap data calls.  

When running openssl on the P12, I am asked for the passcode, presumably for the private key.  I provide that, no problem.
However, I am then prompted for a passcode for the resultant PEM file, which I make the same as the original P12 passcode.
The PEM file is then created.

I presume the private key (that was generated for me by the vendor) is paired with a public key on the SOAP server.
Therefore, if I am generating a new private key in the PEM file (due to the provision of a PEM passcode), surely the private key in the PEM file is not going to be the same as the original one provided by the vendor.
This is where I think the problem is in the PHP call.

My question is, is there a way to split the P12 file into the three parts, ca, cert and key, but retaining the private key in the original P12 file.
I am sure I did a year ago using some tools with putty, but can't seem to do that now for some reason.

Could someone confirm my understanding is correct regarding the private key 'regeneration' and ideally point me in the right direction for generating the PEM file without data loss/change.

Question by:brothertom
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 31

Accepted Solution

Paranormastic earned 1600 total points
ID: 33642161
Sounds like you are trying to use a client authentication certificate?  i.e. passing the certificate for authentication instead of a password?  If that's the case then the private key should be on your box and have nothing to do with the private key of the SOAP server.  The SOAP server will have its own web server SSL styled certificate and its own private key that you don't need to worry about - you would just get the public version of the cert and validate that.

Side note - PEM and Base64 are almost synonymous and tend to be used interchangeably.  Basically non-BER/DER.

I'm assuming you had openssl pkcs12 -in file.p12 -out file.pem

The private key is the same in both the .p12 and the .pem files.  Would it be easier to split them into different files maybe?
openssl pkcs12 -in %SiteName%.p12 -nocerts -out %SiteName%_key.pem
openssl pkcs12 -in %SiteName%.p12 -nokeys -out %SiteName%_cert.pem
openssl pkcs12 -in %SiteName%.p12 -cacerts -out CA_Certs.pem

The vendor that you are connecting to issued you the certificate, correct?  Then they should hopefully know that they need to have their internal root chain installed on the web server, but I wouldn't make assumptions even for larger companies that all their admins are familiar with this stuff (hopefully they do).

I'm not sure how your code is written, but SSL handshakes usually have a little bit of a delay built in even with fast connections - make sure your code is waiting for the handshake to complete before continuing, or at least pause for 35 seconds to allow for the handshake to occur.
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 400 total points
ID: 33644849
you should just be able to cut and paste - each section in a pem file is bounded by markers like -------- begin private key --------- and you can just copy each block.

if you want to do it with a gui tool though, use to import the p12, and export each bit into a separate file that way to suit your needs :)

Author Comment

ID: 33657982
Just to wrap up this question.

First, thanks for the response - it pointed me in the right direction.

It turned out that the PHP library uses curl under the hood.  When testing with just curl, it was failing too.
However, curl did work with the separate key, cert and cacert files.

In the combined PEM file, we have the following sections
private key | cacert | site cert

I removed the cacert from the combined PEM file, then curl and php call worked fine.

I think the cacert certificate was being used as the site cert and of course did not authenticate.  Removal of the cacert only left the site cert in the PEM file and this worked fine.


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question