Solved

Confusion over PKCS contents when converting to PEM format

Posted on 2010-09-09
3
1,031 Views
Last Modified: 2013-11-19
I have been provided a PKCS12 (P12) file for use on a Windows platform when accessing a SOAP server.
However, I need to convert the P12 file into PEM format so that I can access the same SOAP server from PHP on a Linux box.
I did this a while ago but can't get it to work again so doing back to basics.

Using openssl on the Linux box, I am able to convert the P12 to PEM
 openssl -in mycert.p12 -out mycert.pem

The resultant PEM file contains three sections, a private key, the CA certificate (vendor specific) and the Site certificate (coded up using BASE 64 I think)

However using the resultant PEM file in the PHP code, I am disallowed access to the SOAP soap data calls.  

When running openssl on the P12, I am asked for the passcode, presumably for the private key.  I provide that, no problem.
However, I am then prompted for a passcode for the resultant PEM file, which I make the same as the original P12 passcode.
The PEM file is then created.

I presume the private key (that was generated for me by the vendor) is paired with a public key on the SOAP server.
Therefore, if I am generating a new private key in the PEM file (due to the provision of a PEM passcode), surely the private key in the PEM file is not going to be the same as the original one provided by the vendor.
This is where I think the problem is in the PHP call.

My question is, is there a way to split the P12 file into the three parts, ca, cert and key, but retaining the private key in the original P12 file.
I am sure I did a year ago using some tools with putty, but can't seem to do that now for some reason.

Could someone confirm my understanding is correct regarding the private key 'regeneration' and ideally point me in the right direction for generating the PEM file without data loss/change.

Thanks
BT
0
Comment
Question by:brothertom
3 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 400 total points
ID: 33642161
Sounds like you are trying to use a client authentication certificate?  i.e. passing the certificate for authentication instead of a password?  If that's the case then the private key should be on your box and have nothing to do with the private key of the SOAP server.  The SOAP server will have its own web server SSL styled certificate and its own private key that you don't need to worry about - you would just get the public version of the cert and validate that.

Side note - PEM and Base64 are almost synonymous and tend to be used interchangeably.  Basically non-BER/DER.

I'm assuming you had openssl pkcs12 -in file.p12 -out file.pem

The private key is the same in both the .p12 and the .pem files.  Would it be easier to split them into different files maybe?
openssl pkcs12 -in %SiteName%.p12 -nocerts -out %SiteName%_key.pem
openssl pkcs12 -in %SiteName%.p12 -nokeys -out %SiteName%_cert.pem
openssl pkcs12 -in %SiteName%.p12 -cacerts -out CA_Certs.pem

The vendor that you are connecting to issued you the certificate, correct?  Then they should hopefully know that they need to have their internal root chain installed on the web server, but I wouldn't make assumptions even for larger companies that all their admins are familiar with this stuff (hopefully they do).

I'm not sure how your code is written, but SSL handshakes usually have a little bit of a delay built in even with fast connections - make sure your code is waiting for the handshake to complete before continuing, or at least pause for 35 seconds to allow for the handshake to occur.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 100 total points
ID: 33644849
you should just be able to cut and paste - each section in a pem file is bounded by markers like -------- begin private key --------- and you can just copy each block.

if you want to do it with a gui tool though, use http://sourceforge.net/projects/xca to import the p12, and export each bit into a separate file that way to suit your needs :)
0
 

Author Comment

by:brothertom
ID: 33657982
Just to wrap up this question.


First, thanks for the response - it pointed me in the right direction.

It turned out that the PHP library uses curl under the hood.  When testing with just curl, it was failing too.
However, curl did work with the separate key, cert and cacert files.

In the combined PEM file, we have the following sections
private key | cacert | site cert

I removed the cacert from the combined PEM file, then curl and php call worked fine.

I think the cacert certificate was being used as the site cert and of course did not authenticate.  Removal of the cacert only left the site cert in the PEM file and this worked fine.

Cheers
BT
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
The viewer will learn how to count occurrences of each item in an array.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

775 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question