Link to home
Create AccountLog in
Avatar of brothertom
brothertom

asked on

Confusion over PKCS contents when converting to PEM format

I have been provided a PKCS12 (P12) file for use on a Windows platform when accessing a SOAP server.
However, I need to convert the P12 file into PEM format so that I can access the same SOAP server from PHP on a Linux box.
I did this a while ago but can't get it to work again so doing back to basics.

Using openssl on the Linux box, I am able to convert the P12 to PEM
 openssl -in mycert.p12 -out mycert.pem

The resultant PEM file contains three sections, a private key, the CA certificate (vendor specific) and the Site certificate (coded up using BASE 64 I think)

However using the resultant PEM file in the PHP code, I am disallowed access to the SOAP soap data calls.  

When running openssl on the P12, I am asked for the passcode, presumably for the private key.  I provide that, no problem.
However, I am then prompted for a passcode for the resultant PEM file, which I make the same as the original P12 passcode.
The PEM file is then created.

I presume the private key (that was generated for me by the vendor) is paired with a public key on the SOAP server.
Therefore, if I am generating a new private key in the PEM file (due to the provision of a PEM passcode), surely the private key in the PEM file is not going to be the same as the original one provided by the vendor.
This is where I think the problem is in the PHP call.

My question is, is there a way to split the P12 file into the three parts, ca, cert and key, but retaining the private key in the original P12 file.
I am sure I did a year ago using some tools with putty, but can't seem to do that now for some reason.

Could someone confirm my understanding is correct regarding the private key 'regeneration' and ideally point me in the right direction for generating the PEM file without data loss/change.

Thanks
BT
ASKER CERTIFIED SOLUTION
Avatar of Paranormastic
Paranormastic
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of brothertom
brothertom

ASKER

Just to wrap up this question.


First, thanks for the response - it pointed me in the right direction.

It turned out that the PHP library uses curl under the hood.  When testing with just curl, it was failing too.
However, curl did work with the separate key, cert and cacert files.

In the combined PEM file, we have the following sections
private key | cacert | site cert

I removed the cacert from the combined PEM file, then curl and php call worked fine.

I think the cacert certificate was being used as the site cert and of course did not authenticate.  Removal of the cacert only left the site cert in the PEM file and this worked fine.

Cheers
BT