Openssl pkcs12 keeps removing the PEM passphrase from keystore’s entry

certificateopensslpkcspkirsa

OpenSSL 1.0.1e 11 Feb 2013

Generating a self-signed certificate:

openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem -days
365

During the process a PEM passphrase is requested:

Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:

There are 2 resulting files after successful completion in PEM format:

key.pem, cert.pem

The private key (key.pem) is in PKCS#8 format and the starting line reads:

—–BEGIN ENCRYPTED PRIVATE KEY—–

Now I am trying to combine the certificate, as well as the related private key, into a PKCS#12 keystore and protect the keystore with a password. Note – from my understanding this should effectively enforce requesting a password during read access, as well as a passphrase for the private key of the according entry:

openssl pkcs12 -export -inkey key.pem -in cert.pem -out keystore.p12

Upon execution I am asked of the following:

Enter pass phrase for key.pem:
Enter Export Password:
Verifying – Enter Export Password:

However, it is my understanding that the passphrase should remain intact for the private key that is now being stored in the keystore.p12 file. Here is how I try to read the contents of the keystore:

openssl pkcs12 -nodes -info -in keystore.p12

The output I get (only related to protecting the keystore with a password):

Enter Import Password:

And lists the certificate, as well as the private key, in PEM format without requesting the passphrase for the latter. That is basically the problem. The PEM passphrase is no longer there for the private key. What am I doing wrong or how can I fix this? Thank you.

Best Answer

There's nothing wrong. That's how PKCS12 works. PKCS12 is format for securely transporting certificate chains and private keys between tokens. Protection/encryption of private key is done by passphrase you entered when asked for 'Enter Export Password'. Nothing like twice encrypted keys.

EDIT: Omit -nodes option. That turns off encryption of private key.

Related Solutions

Google-chrome – Exporting a certificate in PKCS12 format from firefox

You can view Certificate contents in Firefox
(Tools -> Options -> Advanced -> Encryption -> View Certs -> Yours/Authority/etc -> <cert> -> View -> Details -> Certificate Fields -> Public Key)

If you can export to PEM, you can convert that to PKCS12

# export mycert.pem as PKCS#12 file, mycert.pfx
openssl pkcs12 -export \
  -out mycert.pfx -in mycert.pem \
  -name "My Certificate"

Update: Examples of using OpenSSL

Generate a self-signed certificate

  $ openssl req \
  >   -x509 -nodes -days 365 \
  >   -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

View it's contents

  $ openssl x509 -in mycert.pem -noout -text

View the PEM file

  $ cat mycert.pem
  -----BEGIN RSA PRIVATE KEY-----
  MIICXAIBAAKBgQDa6JQOLkwoIGhTvcTSYX68Ddaq4hGk/61RSVELaVFJTNQYPB86
  …
  aPj0KoeFJ04/sLcZNZwGcC93rNA66xTICLtGbBXlM1U=
  -----END RSA PRIVATE KEY-----
  -----BEGIN CERTIFICATE-----
  MIICxTCCAi6gAwIBAgIJAOaxxgLFlypwMA0GCSqGSIb3DQEBBQUAMEwxCzAJBgNV
  …
  tz0TMEYxbGIscZbxeJxoK6pe5tOwXtdjStlcITzksdPV5rLp84aeJl4=
  -----END CERTIFICATE-----

Note that whilst a PEM file can contain both private key and a certificate, the private key isn't part of the X.509 certificate.

If the PEM exported by FF lacks the BEGIN and END markers around the Base64 encoded data, OpenSSL can't read the PEM file.

Here's CA certificate I exported from Firefox (*viewed in e.g. notepad)

-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
…
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----

(ellipsis … where data omitted for brevity)

I can view that OK using openssl x509 -in ff.crt -noout -text (I cut & pasted from Windows to Linux but you can install openssl on Windows too)

How to export private key from a certificate chain

The openssl pkcs12 command you used should also export the private key

openssl pkcs12 -in server.pkcs -out server.pem

I guess that the p12 input file does not contain the private key.

Are you sure there is not some kind of warning when exporting the key from the p12 file.

One thing which is important is that it seems that JKS supports a separate key password and a store password. When exporting the p12 from the JKS it can happen that the password for the p12 is different then the password for the key. It seems that this is not supported by openssl (just tried) and results in a "bad decrypt" error. You should make sure that the key password is the same as the p12 password.

Best Answer

Related Solutions

Google-chrome – Exporting a certificate in PKCS12 format from firefox

How to export private key from a certificate chain

Related Question