[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 347
  • Last Modified:

Openssl on Windows 2008 R2

I am having a problem with the PKCS12 format.

So here is some background on what I am doing.  I am working on a Windows 2008R2 server and attempting to set up a self-signed certificate for clients to use when authenticating to an application via a remote client.  The application vendor has provided me with some instructions on how to do this.  So far most of the instructions worked, but not particularly well.  

I have created the directory/subdirectory structures, the index file and serial file.

mkdir caserver
cd caserver
mkdir certs
mkdir certs\private
mkdir certs\newcerts

echo 2 > certs\index.txt
echo 21 > certs\serial

Modified the openssl.cfg file appropriately.  Then generated the cakey.pem and the cacert.pem.  

openssl.exe req -new -x509 -days 365 -keyout certs\private\cakey.pem -out certs\cacert.pem

From there I have created the server_csr.pem and server_key.pem.  

openssl.exe req -days 365 -out server_csr.pem -new -newkey rsa:2048 -keyout server_key.pem

After that I have used the server_csr.pem to create the server_cert.pem

openssl.exe ca -in server_csr.pem -out server_cert.pem

Ok at this point I run this:

openssl.exe pkcs12 -export -in server_cert.pem -inkey server_key.pem > server.p12

This creates the server.p12 file.  At this point I am supposed to create the certificate and key in the proper format with these commands

openssl.exe pkcs12 -in server.p12 -out server-cert.pem -nokeys


openssl.exe pkcs12 -in server.p12 -out server-key.pem -nocerts -nodes

These final two commands are what I cannot get working.  They give me the following errors:

:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1319:
:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:381:Type=PKCS12

Any help that you can render me would be appreciated.  Also unfortunately I cannot upload anything though I can an will answer questions to the best of my ability.


1 Solution
btanExec ConsultantCommented:
likely the p12 is not in right format hence the error messages...can check the format of p12 (" server.p12") and its key ("server_key.pem"). Below is general command fro checking

e.g. Check a private key >> openssl rsa -in privateKey.key -check
e.g. Check a PKCS#12 file (.pfx or .p12) >> openssl pkcs12 -info -in keyStore.p12

also if you have the ca installed, you can already generate a self-signed as below

1) Generate a self-signed certificate
>> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

The step 2 is actually option as you can simply go straight for step 3 to check and proceed to generate the p12 or pfx. Otherwise, you can regenerate another CSR to have new cert issued...
2) Generate a certificate signing request (CSR) for an existing private key
>> openssl req -out CSR.csr -key privateKey.key -new
2) Generate a certificate signing request based on an existing certificate
>> openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
3) Checking (besides the earlier mentioned), you can
Check an MD5 hash of the public key (e.g. certificate.crt) to ensure that it matches with what is in a CSR (CSR.csr) or private key (privateKey.key) e.g.
>> openssl x509 -noout -modulus -in certificate.crt | openssl md5
>> openssl rsa -noout -modulus -in privateKey.key | openssl md5
>> openssl req -noout -modulus -in CSR.csr | openssl md5

4) With the above private keys (e.g. privateKey.key), you can export the needed PKCS#12 (e.g. p12 or pfx) as needed.
e.g. PEM certificate file and a private key to PKCS#12 (.pfx or .p12)
>> openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

If you need the p12 or pfx in PEM format, you can proceed to below Step 5.
5) e.g. PKCS#12 (.pfx .p12) containing a private key and certificates to PEM
>> openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
(You can add -nocerts to only output the private key or add -nokeys to only output the certificates)

 The latter PEM file should have format in  
 -----END PRIVATE KEY-----
CampbelldwAuthor Commented:
This worked perfectly.  It got the key and cert and the system is up and running now.  My thanks.

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now