Openssl on Windows 2008 R2

Posted on 2015-01-26
Last Modified: 2015-01-27
I am having a problem with the PKCS12 format.

So here is some background on what I am doing.  I am working on a Windows 2008R2 server and attempting to set up a self-signed certificate for clients to use when authenticating to an application via a remote client.  The application vendor has provided me with some instructions on how to do this.  So far most of the instructions worked, but not particularly well.  

I have created the directory/subdirectory structures, the index file and serial file.

mkdir caserver
cd caserver
mkdir certs
mkdir certs\private
mkdir certs\newcerts

echo 2 > certs\index.txt
echo 21 > certs\serial

Modified the openssl.cfg file appropriately.  Then generated the cakey.pem and the cacert.pem.  

openssl.exe req -new -x509 -days 365 -keyout certs\private\cakey.pem -out certs\cacert.pem

From there I have created the server_csr.pem and server_key.pem.  

openssl.exe req -days 365 -out server_csr.pem -new -newkey rsa:2048 -keyout server_key.pem

After that I have used the server_csr.pem to create the server_cert.pem

openssl.exe ca -in server_csr.pem -out server_cert.pem

Ok at this point I run this:

openssl.exe pkcs12 -export -in server_cert.pem -inkey server_key.pem > server.p12

This creates the server.p12 file.  At this point I am supposed to create the certificate and key in the proper format with these commands

openssl.exe pkcs12 -in server.p12 -out server-cert.pem -nokeys


openssl.exe pkcs12 -in server.p12 -out server-key.pem -nocerts -nodes

These final two commands are what I cannot get working.  They give me the following errors:

:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1319:
:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:381:Type=PKCS12

Any help that you can render me would be appreciated.  Also unfortunately I cannot upload anything though I can an will answer questions to the best of my ability.


Question by:Campbelldw
LVL 61

Accepted Solution

btan earned 500 total points
ID: 40571816
likely the p12 is not in right format hence the error messages...can check the format of p12 (" server.p12") and its key ("server_key.pem"). Below is general command fro checking

e.g. Check a private key >> openssl rsa -in privateKey.key -check
e.g. Check a PKCS#12 file (.pfx or .p12) >> openssl pkcs12 -info -in keyStore.p12

also if you have the ca installed, you can already generate a self-signed as below

1) Generate a self-signed certificate
>> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

The step 2 is actually option as you can simply go straight for step 3 to check and proceed to generate the p12 or pfx. Otherwise, you can regenerate another CSR to have new cert issued...
2) Generate a certificate signing request (CSR) for an existing private key
>> openssl req -out CSR.csr -key privateKey.key -new
2) Generate a certificate signing request based on an existing certificate
>> openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
3) Checking (besides the earlier mentioned), you can
Check an MD5 hash of the public key (e.g. certificate.crt) to ensure that it matches with what is in a CSR (CSR.csr) or private key (privateKey.key) e.g.
>> openssl x509 -noout -modulus -in certificate.crt | openssl md5
>> openssl rsa -noout -modulus -in privateKey.key | openssl md5
>> openssl req -noout -modulus -in CSR.csr | openssl md5

4) With the above private keys (e.g. privateKey.key), you can export the needed PKCS#12 (e.g. p12 or pfx) as needed.
e.g. PEM certificate file and a private key to PKCS#12 (.pfx or .p12)
>> openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

If you need the p12 or pfx in PEM format, you can proceed to below Step 5.
5) e.g. PKCS#12 (.pfx .p12) containing a private key and certificates to PEM
>> openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
(You can add -nocerts to only output the private key or add -nokeys to only output the certificates)

 The latter PEM file should have format in  
 -----END PRIVATE KEY-----

Author Closing Comment

ID: 40573771
This worked perfectly.  It got the key and cert and the system is up and running now.  My thanks.

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you …
Imagine a situation that you have installed SSL ( Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now