Solved

Openssl on Windows 2008 R2

Posted on 2015-01-26
2
293 Views
Last Modified: 2015-01-27
I am having a problem with the PKCS12 format.

So here is some background on what I am doing.  I am working on a Windows 2008R2 server and attempting to set up a self-signed certificate for clients to use when authenticating to an application via a remote client.  The application vendor has provided me with some instructions on how to do this.  So far most of the instructions worked, but not particularly well.  

I have created the directory/subdirectory structures, the index file and serial file.

mkdir caserver
cd caserver
mkdir certs
mkdir certs\private
mkdir certs\newcerts

echo 2 > certs\index.txt
echo 21 > certs\serial


Modified the openssl.cfg file appropriately.  Then generated the cakey.pem and the cacert.pem.  

openssl.exe req -new -x509 -days 365 -keyout certs\private\cakey.pem -out certs\cacert.pem

From there I have created the server_csr.pem and server_key.pem.  

openssl.exe req -days 365 -out server_csr.pem -new -newkey rsa:2048 -keyout server_key.pem

After that I have used the server_csr.pem to create the server_cert.pem

openssl.exe ca -in server_csr.pem -out server_cert.pem

Ok at this point I run this:

openssl.exe pkcs12 -export -in server_cert.pem -inkey server_key.pem > server.p12

This creates the server.p12 file.  At this point I am supposed to create the certificate and key in the proper format with these commands

openssl.exe pkcs12 -in server.p12 -out server-cert.pem -nokeys

and

openssl.exe pkcs12 -in server.p12 -out server-key.pem -nocerts -nodes

These final two commands are what I cannot get working.  They give me the following errors:

:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1319:
:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:381:Type=PKCS12

Any help that you can render me would be appreciated.  Also unfortunately I cannot upload anything though I can an will answer questions to the best of my ability.

Respectfully,

Dan
0
Comment
Question by:Campbelldw
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40571816
likely the p12 is not in right format hence the error messages...can check the format of p12 (" server.p12") and its key ("server_key.pem"). Below is general command fro checking

e.g. Check a private key >> openssl rsa -in privateKey.key -check
e.g. Check a PKCS#12 file (.pfx or .p12) >> openssl pkcs12 -info -in keyStore.p12
https://www.sslshopper.com/article-most-common-openssl-commands.html

also if you have the ca installed, you can already generate a self-signed as below

1) Generate a self-signed certificate
>> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

The step 2 is actually option as you can simply go straight for step 3 to check and proceed to generate the p12 or pfx. Otherwise, you can regenerate another CSR to have new cert issued...
2) Generate a certificate signing request (CSR) for an existing private key
>> openssl req -out CSR.csr -key privateKey.key -new
OR
2) Generate a certificate signing request based on an existing certificate
>> openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
3) Checking (besides the earlier mentioned), you can
Check an MD5 hash of the public key (e.g. certificate.crt) to ensure that it matches with what is in a CSR (CSR.csr) or private key (privateKey.key) e.g.
>> openssl x509 -noout -modulus -in certificate.crt | openssl md5
>> openssl rsa -noout -modulus -in privateKey.key | openssl md5
>> openssl req -noout -modulus -in CSR.csr | openssl md5

4) With the above private keys (e.g. privateKey.key), you can export the needed PKCS#12 (e.g. p12 or pfx) as needed.
e.g. PEM certificate file and a private key to PKCS#12 (.pfx or .p12)
>> openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

If you need the p12 or pfx in PEM format, you can proceed to below Step 5.
5) e.g. PKCS#12 (.pfx .p12) containing a private key and certificates to PEM
>> openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
(You can add -nocerts to only output the private key or add -nokeys to only output the certificates)

 The latter PEM file should have format in  
-----BEGIN PRIVATE KEY-----
 -----END PRIVATE KEY-----
0
 

Author Closing Comment

by:Campbelldw
ID: 40573771
This worked perfectly.  It got the key and cert and the system is up and running now.  My thanks.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Whats the use of master secret 4 79
ADFS Queries 3 71
Disable SSLv3.0/TLSv1.0 - Windows 2012R2 3 67
Converting a certificate into a PEM 2 63
Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question