Openssl on Windows 2008 R2

Posted on 2015-01-26
Last Modified: 2015-01-27
I am having a problem with the PKCS12 format.

So here is some background on what I am doing.  I am working on a Windows 2008R2 server and attempting to set up a self-signed certificate for clients to use when authenticating to an application via a remote client.  The application vendor has provided me with some instructions on how to do this.  So far most of the instructions worked, but not particularly well.  

I have created the directory/subdirectory structures, the index file and serial file.

mkdir caserver
cd caserver
mkdir certs
mkdir certs\private
mkdir certs\newcerts

echo 2 > certs\index.txt
echo 21 > certs\serial

Modified the openssl.cfg file appropriately.  Then generated the cakey.pem and the cacert.pem.  

openssl.exe req -new -x509 -days 365 -keyout certs\private\cakey.pem -out certs\cacert.pem

From there I have created the server_csr.pem and server_key.pem.  

openssl.exe req -days 365 -out server_csr.pem -new -newkey rsa:2048 -keyout server_key.pem

After that I have used the server_csr.pem to create the server_cert.pem

openssl.exe ca -in server_csr.pem -out server_cert.pem

Ok at this point I run this:

openssl.exe pkcs12 -export -in server_cert.pem -inkey server_key.pem > server.p12

This creates the server.p12 file.  At this point I am supposed to create the certificate and key in the proper format with these commands

openssl.exe pkcs12 -in server.p12 -out server-cert.pem -nokeys


openssl.exe pkcs12 -in server.p12 -out server-key.pem -nocerts -nodes

These final two commands are what I cannot get working.  They give me the following errors:

:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1319:
:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:381:Type=PKCS12

Any help that you can render me would be appreciated.  Also unfortunately I cannot upload anything though I can an will answer questions to the best of my ability.


Question by:Campbelldw
LVL 63

Accepted Solution

btan earned 500 total points
ID: 40571816
likely the p12 is not in right format hence the error messages...can check the format of p12 (" server.p12") and its key ("server_key.pem"). Below is general command fro checking

e.g. Check a private key >> openssl rsa -in privateKey.key -check
e.g. Check a PKCS#12 file (.pfx or .p12) >> openssl pkcs12 -info -in keyStore.p12

also if you have the ca installed, you can already generate a self-signed as below

1) Generate a self-signed certificate
>> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

The step 2 is actually option as you can simply go straight for step 3 to check and proceed to generate the p12 or pfx. Otherwise, you can regenerate another CSR to have new cert issued...
2) Generate a certificate signing request (CSR) for an existing private key
>> openssl req -out CSR.csr -key privateKey.key -new
2) Generate a certificate signing request based on an existing certificate
>> openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
3) Checking (besides the earlier mentioned), you can
Check an MD5 hash of the public key (e.g. certificate.crt) to ensure that it matches with what is in a CSR (CSR.csr) or private key (privateKey.key) e.g.
>> openssl x509 -noout -modulus -in certificate.crt | openssl md5
>> openssl rsa -noout -modulus -in privateKey.key | openssl md5
>> openssl req -noout -modulus -in CSR.csr | openssl md5

4) With the above private keys (e.g. privateKey.key), you can export the needed PKCS#12 (e.g. p12 or pfx) as needed.
e.g. PEM certificate file and a private key to PKCS#12 (.pfx or .p12)
>> openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

If you need the p12 or pfx in PEM format, you can proceed to below Step 5.
5) e.g. PKCS#12 (.pfx .p12) containing a private key and certificates to PEM
>> openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
(You can add -nocerts to only output the private key or add -nokeys to only output the certificates)

 The latter PEM file should have format in  
 -----END PRIVATE KEY-----

Author Closing Comment

ID: 40573771
This worked perfectly.  It got the key and cert and the system is up and running now.  My thanks.

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you …
So you need a certificate so you can offer SSL encryption.  But which one should you get?  There are so many choices out there! Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Auth…
In an interesting question ( here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question