Solved

Openssl on Windows 2008 R2

Posted on 2015-01-26
2
297 Views
Last Modified: 2015-01-27
I am having a problem with the PKCS12 format.

So here is some background on what I am doing.  I am working on a Windows 2008R2 server and attempting to set up a self-signed certificate for clients to use when authenticating to an application via a remote client.  The application vendor has provided me with some instructions on how to do this.  So far most of the instructions worked, but not particularly well.  

I have created the directory/subdirectory structures, the index file and serial file.

mkdir caserver
cd caserver
mkdir certs
mkdir certs\private
mkdir certs\newcerts

echo 2 > certs\index.txt
echo 21 > certs\serial


Modified the openssl.cfg file appropriately.  Then generated the cakey.pem and the cacert.pem.  

openssl.exe req -new -x509 -days 365 -keyout certs\private\cakey.pem -out certs\cacert.pem

From there I have created the server_csr.pem and server_key.pem.  

openssl.exe req -days 365 -out server_csr.pem -new -newkey rsa:2048 -keyout server_key.pem

After that I have used the server_csr.pem to create the server_cert.pem

openssl.exe ca -in server_csr.pem -out server_cert.pem

Ok at this point I run this:

openssl.exe pkcs12 -export -in server_cert.pem -inkey server_key.pem > server.p12

This creates the server.p12 file.  At this point I am supposed to create the certificate and key in the proper format with these commands

openssl.exe pkcs12 -in server.p12 -out server-cert.pem -nokeys

and

openssl.exe pkcs12 -in server.p12 -out server-key.pem -nocerts -nodes

These final two commands are what I cannot get working.  They give me the following errors:

:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1319:
:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:381:Type=PKCS12

Any help that you can render me would be appreciated.  Also unfortunately I cannot upload anything though I can an will answer questions to the best of my ability.

Respectfully,

Dan
0
Comment
Question by:Campbelldw
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40571816
likely the p12 is not in right format hence the error messages...can check the format of p12 (" server.p12") and its key ("server_key.pem"). Below is general command fro checking

e.g. Check a private key >> openssl rsa -in privateKey.key -check
e.g. Check a PKCS#12 file (.pfx or .p12) >> openssl pkcs12 -info -in keyStore.p12
https://www.sslshopper.com/article-most-common-openssl-commands.html

also if you have the ca installed, you can already generate a self-signed as below

1) Generate a self-signed certificate
>> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

The step 2 is actually option as you can simply go straight for step 3 to check and proceed to generate the p12 or pfx. Otherwise, you can regenerate another CSR to have new cert issued...
2) Generate a certificate signing request (CSR) for an existing private key
>> openssl req -out CSR.csr -key privateKey.key -new
OR
2) Generate a certificate signing request based on an existing certificate
>> openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
3) Checking (besides the earlier mentioned), you can
Check an MD5 hash of the public key (e.g. certificate.crt) to ensure that it matches with what is in a CSR (CSR.csr) or private key (privateKey.key) e.g.
>> openssl x509 -noout -modulus -in certificate.crt | openssl md5
>> openssl rsa -noout -modulus -in privateKey.key | openssl md5
>> openssl req -noout -modulus -in CSR.csr | openssl md5

4) With the above private keys (e.g. privateKey.key), you can export the needed PKCS#12 (e.g. p12 or pfx) as needed.
e.g. PEM certificate file and a private key to PKCS#12 (.pfx or .p12)
>> openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

If you need the p12 or pfx in PEM format, you can proceed to below Step 5.
5) e.g. PKCS#12 (.pfx .p12) containing a private key and certificates to PEM
>> openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
(You can add -nocerts to only output the private key or add -nokeys to only output the certificates)

 The latter PEM file should have format in  
-----BEGIN PRIVATE KEY-----
 -----END PRIVATE KEY-----
0
 

Author Closing Comment

by:Campbelldw
ID: 40573771
This worked perfectly.  It got the key and cert and the system is up and running now.  My thanks.
0

Featured Post

Enroll in June's Course of the Month

June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question