5

I have a been given a private key that turned out to be in pkcs8 format, which I managed to turn into a pem file using the following command:

openssl pkcs8 -inform der -nocrypt -in private.key -out pkey.pem

I now need to convert this to pkcs12 so I can use it in .NET to create an X509 certificate (also I'd like to import it to windows cert manager).

I tried this command:

openssl pkcs12 -export -name myalias -in mycert.crt -inkey pkey.pem -out keystore.p12

however, I don't have the public key, I've tried using the pkey.pem file as the -in arg, but it tells me No certificate matches private key. If I try without the -in arg then nothing happens (and I mean nothing, there is a blank row until I press ctrl-c).

How can I generate the public key from the private key, or convert to pkcs12 without the public key?

The first part of this question, was from the answer here

I found an answer that gave me some hope, which says to run this command (-nocerts):

openssl pkcs12 -export -nocerts -inkey your.private.key.pem -out your.private.key.p12

But when I try to import the file into the windows key store, it says The specified file is empty when it is importing.

I've also managed to generate a certificate signing request from instructions here, which generated a certificate file, but the command still didn't accept that saying No certificate matches private key

Another answer suggests generating the public key, which I do, but when I use that as the -in arg it still says No certificate matches private key, which I don't understand as this public key was generated from the private key using this command: openssl rsa -in privkey.pem -pubout > key.pub

EDIT: I've posted an answer below, but as mentioned I've no way of verifying this information or telling if it works. If anyone has any further information, please let me know.

Community
  • 1
  • 1
Mr Shoubs
  • 14,629
  • 17
  • 68
  • 107

1 Answers1

3

It would seem:

The following commands turn this into a format usable in windows:

Convert the private key from pkcs8/DER to a PEM file format

openssl pkcs8 -nocrypt -in dealerPrivate.key -inform der -outform pem -out private.pem

Convert the certificate from x509/DER to a PEM file format

openssl x509 -inform der -in dealerCertificate.x509 -out public.pem

Merge the two files into a pkcs12 file – you will be prompted for password to protect the p12 with

openssl pkcs12 -export -inkey private.pem -in public.pem -out mycert.p12

This gives me a pkcs12 certificate (I think) that I've added to the windows key store and can then access from .NET and attach it to my WCF request.

Unfortunately I can't verify that this works as the service response with the same data as my request, which is completely confusing:

Request:

POST http://[HOST].com/services/fsa/1.0 HTTP/1.1
Content-Type: text/xml; charset=utf-8
VsDebuggerCausalityData: uIDPo0ii5Jr5wONMi6i/jkMQdFkAAAAArRV2zOsUrEioQMkqYDWulG6ktjqzCoRLtP+/9VQSARUACQAA
SOAPAction: ""
Host: [HOST]
Content-Length: 299
Expect: 100-continue
Connection: Keep-Alive

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><list xmlns="http://[HOST].com/services/fsa/1.0"><String_1 xmlns="">[MY_STRING]</String_1></list></s:Body></s:Envelope>

Response:

HTTP/1.1 200 OK
Date: Thu, 31 Oct 2013 12:19:38 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a mod_jk/1.2.31
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
VsDebuggerCausalityData: uIDPo0ii5Jr5wONMi6i/jkMQdFkAAAAArRV2zOsUrEioQMkqYDWulG6ktjqzCoRLtP+/9VQSARUACQAA
SOAPAction: ""
host: [HOST]
Expect: 100-continue
connection: Keep-Alive, Keep-Alive
Content-Length: 299
Keep-Alive: timeout=2, max=100
Content-Type: text/xml;charset=utf-8

<s:Envelope xmlns:s='http://schemas.xmlsoap.org/soap/envelope/'><s:Body xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'><list xmlns='http://[HOST].com/services/fsa/1.0'><String_1 xmlns=''>[MY_STRING]</String_1></list></s:Body></s:Envelope>
Mr Shoubs
  • 14,629
  • 17
  • 68
  • 107
  • 1
    What you have created is a self-signed certificate signed by your own private key. Note...to avoid confusion, the file extension of your cert should not be ".csr". That refers to a signing request. The question I have is what exactly is your private key and certificate being used for in your client app? Is it for authentication/authorization (via SSL), or is it for signing some content from the server? or something else? – gtrig Oct 31 '13 at 18:09
  • I was provided with the private key and x509 cert by a third party, so I am assuming I need to use the private key to sign and/or encrypt my request and use the public key to read the response from their web service. I have a question here relating to bindings: http://stackoverflow.com/q/19427768/198048. In sort, no idea. Apparently I have to guess, but now I have something usable in .Net, I'm one step ahead of where I was before. – Mr Shoubs Nov 01 '13 at 10:40
  • Normally, encrypted communications between a client and a webserver are done through SSL/TLS. The URL starts with "https://". If this is the mechanism you are supposed to use, and you were given a private key, they may require "2-way" or "mutual" SSL, which means that the client must authenticate to the server. This is done through a private key and it's matching certificate. If the server trusts the CA that signed the client certificate, it can be authenticated and authorized. If the client trusts the CA that signed the server certificate, it will all the secure connection. – gtrig Nov 01 '13 at 17:20
  • Does your certificate match your private key? I.e. is the public key that is in the certificate the pair of the private key? – gtrig Nov 01 '13 at 17:20
  • It doesn't appear to be when I used the openssl pkcs12 command, it days it doesn't match (so I assume it isn't, but I can't tell). It's not a https url, just http. Maybe I just need to sign it, not encrypt it. – Mr Shoubs Nov 04 '13 at 09:25