Score:1

Crypto

How do I properly generate pkcs#12 keystore?

objecttothis

2/16/24, 2:40 PM

I have an application that needs to communicate with the bank for online transactions. I am using OpenSSL 3.0.8.7 in Windows 11. I generated a private key using:

openssl genrsa -out rsa_key.pem 2048

Then a Certifate Signing Request using:

openssl req -new -key rsa_key.pem -out csr.pem -subj "[REDACTED]"

I sent the CSR to the bank and received back a signed certificate (signed_cert.pem) and the bank CA (ca.pem). I am trying to create a pkcs#12 keystore to use in my application using

openssl pkcs12 -export -CAfile ca.pem -inkey rsa_key.pem -certfile signed_cert.pem -passout pass:[REDACTED] -out keystore.p12

When I do OpenSSL gives no output, but just keeps running until I kill the process. No output, no errors. What am I doing wrong?

1 + 6

Wahyu Kristianto

2/16/24, 2:59 PM

You can try adding the `-nodes` and/or `-debug`

Amit

2/16/24, 3:21 PM

Suggesting to export this question to: https://security.stackexchange.com/ because this is chiefly concerned with the OpenSSL tool and doesn't require any specific Crypto expertise. (Currently there is no option to suggest this via a flag, and I think there should be).

objecttothis

2/16/24, 5:19 PM

I've printed the value of the modulus of all three and they all come out the same... I think that means that the keys are compatible. I would also guess if one was corrupted that it would not have generated the same modulus. -debug doesn't work. I tried adding -nodes (deprecated) but there was no difference.

dave_thompson_085

2/17/24, 12:35 AM

You should supply at least the cert (`signed_cert.pem`) as `-in`, or by redirecting stdin. If you don't do either, `openssl pkcs12` waits for you to manually enter the cert which you didn't and probably can't. As you found in your self-answer you _may_ also include the key on `-in`/stdin (first) instead of using `-inkey`, and the CA/chain cert(s) instead of using `-certfile`. But this isn't really cryptography. `-nodes` on `pkcs12 -export` is ignored and does nothing.

Maarten Bodewes

2/17/24, 2:11 PM

@Amit This kind of tool usage is actually more for [su], just so that you know.

objecttothis

2/19/24, 10:20 PM

Thank you @dave_thompson_085 for the explanation. I didn't quite realize that StackExchange separated Cryptography and Information Security. Yes, it is not strictly Cryptography. It's interesting to me that OpenSSL gives you no indication that it's waiting for anything. The documentation isn't clear to me that I should have used -in rather than -certfile for signed_cert.pem.

Score:2

Crypto

objecttothis

2/16/24, 7:25 PM

While I was never able to get this to work as I was trying to use it, I switched over to a freeBSD machine then ran

cat rsa_key.pem > combined.pem
cat signed_cert.pem >> combined.pem
cat ca.pem >> combined.pem

Then ran

openssl pkcs12 -export -in combined.pem -out keystore.p12

That worked correctly. Not sure what's wrong with the initial syntax, but oh well.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How do I properly generate pkcs#12 keystore?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.