-1

i need to convert a RSA Keypair to .p12 and i am not able to do it. I have tried different approaches using openssl but i am still failing.

I have the following

-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----


-----BEGIN RSA PRIVATE KEY-----
....
-----END RSA PRIVATE KEY-----

It seems that i am missing the basics... The only thing i get from the Service Provider is the RSA Public and Private Key. The targetlandscape supports .p12 only.

I tried

openssl pkcs12 -export -out DocusignPrivate.p12 -inkey DocusignPrivate.pem -in DocusignPublic.pem

THANKS for your help!

Best regards Martin

Martin
  • 790
  • 2
  • 9
  • 24
  • Does PKCS12 even support storing keypairs? I thought it's mainly a way to store certificates. – Thomas Nov 07 '20 at 15:19
  • hi thomas i dont know, but i am a little bit confused. – Martin Nov 07 '20 at 15:53
  • 1
    @Thomas: PKCS12 (and PFX) was _created_ to [store a privatekey and the matching X.509 certificate or (usually) chain](https://en.wikipedia.org/wiki/PKCS_12), although the standard is flexible enough it _can_ be used for other things, and Java (especially 9 up) uses it to store 'trusted' certs without privatekeys. But it can't store bare public key(s). – dave_thompson_085 Nov 07 '20 at 19:12

2 Answers2

3

This is not a programming or development question or problem, and likely to be voted offtopic, as in recent years with the existence of many other Stacks SO has become more restrictive.

PKCS12 can't store a bare public key; (instead) it stores X.509 certificate(s) which contain a public key. When you don't have a 'real' CA-issued certificate, the common practice is to create a dummy (self-signed) certificate. There are multiple ways to do this, including several with OpenSSL, and probably hundreds of existing Qs and As about them, but the simplest is

openssl req -new -x509 -key $privkey -days 365 -subj "/CN=somename" -out $cert
# adjust days if desired; depending on the software that will use this p12 
# and your version of openssl, may need to specify signing hash e.g. -sha256
#
# then use openssl pkcs12 -export -inkey $privkey -in $cert -out $p12
dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
0

I had a similar problem. In my case, I was able to get a pem by first creating a P12 and then extracting a new pem file from it. I bet there is a better on-liner out there. I used these commands (substitute your FQHN in the env variable):

export FQHN=DocusignPrivate
openssl pkcs12 -inkey ${FQHN}_private.key -in $(FQHN}.cer -export -out ${FQHN}.p12
openssl pkcs12 -in ${FQHN}.p12 -out ${FQHN}.pem -nocerts -nodes

More out the file. Edit the file to remove the top three lines before the -----BEGIN PRIVATE KEY-----.

Note: I typed in the commands manually, so there might be a typo...so I'd appreciate it if someone could also test the commands - or I try will later. Also, this assumes that the .cer file is your signed X509 certificate.

As a simple check, I used this command to output some info: openssl rsa -in ${FQHN}.pem -noout -text

Hat Tip: I followed the steps on this question.

Michael Behrens
  • 911
  • 10
  • 8