Reputation: 1
An openssl p12 certificate is not made like with Windows
I create my certificate with openssl:
openssl pkcs12 -export -in domain.crt.pem -inkey domain.key.pem -certfile domain.cha.pem -chain -CAfile domain.cha.pem -out domain.p12
or
openssl pkcs12 -export -in domain.crt.pem -inkey domain.key.pem -chain -CAfile domain.cha.pem -out domain.p12
or
openssl pkcs12 -export -in domain.crt.pem -inkey domain.key.pem -certfile domain.cha.pem -out domain.p12
or (with ca certificates in domain.crt.pem)
openssl pkcs12 -export -in domain.crt.pem -inkey domain.key.pem -out domain.p12
an use it for my smtp gateway the certificate chain is not there
echo | openssl s_client -crlf -connect smtp.domain.de:25 -starttls smtp -servername
smtp.domain.de | openssl x509 -noout -dates
depth=0 CN = smtp.domain.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = smtp.domain.de
verify error:num=21:unable to verify the first certificate
verify return:1
250 HELP
DONE
notBefore=Apr 22 00:00:00 2021 GMT
notAfter=Mar 14 23:59:59 2022 GMT
but if import this p12 file into windows and export with all certs i get
echo | openssl s_client -crlf -connect smtp.domain.de:25 -starttls smtp -servername smtp.domain.de | openssl x509 -noout -dates
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G1
verify return:1
depth=0 CN = smtp.domain.de
verify return:1
250 HELP
DONE
notBefore=Apr 22 00:00:00 2021 GMT
notAfter=Mar 14 23:59:59 2022 GMT
What is the missing parameter for openssl to correct this????
Upvotes: 0
Views: 777
Answers (1)
Reputation: 14148
As with everything, it's a good idea to look at the documentation on how to do it.
There are 3 ways I can think of to do it.
Include all the chain certificates in your input pem file. That way you command doesn't need to change, just your input.
Use the "-certfile" option to specify additional certificates you want.
e.g. openssl pkcs12 -export -in domain.crt.pem -inkey domain.key.pem -certfile digicerts.pem -out domain.p12
- Use the "-chain" and the -CAfile/-CApath/configsetup to pull the chain from a CA store.
e.g. openssl pkcs12 -export -in domain.crt.pem -inkey domain.key.pem -chain -out domain.p12
(assumes default ca store setup for your openssl) or
e.g. openssl pkcs12 -export -in domain.crt.pem -inkey domain.key.pem -chain -CAfile cacert.pem -out domain.p12
Provide a ca store (cacert.pem) that includes all the required certificates to make up your required chain.
============== UPDATE =================
I have a example certificate chain for www.example.com with the chain of: www.example.com XXXX Development Intermediate CA XXXX Development CA
They are in the files:
www.example.com.cert.pem - the www.example.com certificate
www.example.com.key.pem - the www.example.com certificate key
intermediate.pem - the XXXX Development Intermediate CA certificate
ca.pem - the XXXX Development CA certificate
When I do a verify I get:
openssl verify -show_chain -untrusted intermediate.pem -CAfile ca.pem www.example.com.cert.pem
.\www.example.com.cert.pem: OK
Chain:
depth=0: C = NZ, ST = Auckland, L = Auckland, O = XXXX, CN = www.example.com, emailAddress = [email protected] (untrusted)
depth=1: C = NZ, ST = Auckland, O = XXXX, CN = XXXX Development Intermediate CA, emailAddress = [email protected]
depth=2: C = NZ, ST = Auckland, L = Auckland, O = XXXX, CN = XXXX Development CA, emailAddress = [email protected]
Example 1:
Combine the three files into one file. They are just text files so can combine them any way you want.
Powershell example:
dir www.example.com.cert.pem,intermediate.pem,ca.pem | gc | out-file www.example.com.all.pem
Create p12 file:
openssl pkcs12 -export -in www.example.com.all.pem -inkey www.example.com.key.pem -out www.example.com.p12
Example 2:
Create p12 file:
openssl pkcs12 -export -in www.example.com.cert.pem -inkey www.example.com.key.pem -certfile intermediate.pem -certfile ca.pem -out .\www.example.com.p12
Example 3:
Generate a ca store file with the intermedate and ca certificates with powershell, again it's just combining text files so do it however you want:
dir intermediate.pem,ca.pem | gc | out-file ca-all.pem
Create p12 file:
openssl pkcs12 -export -in www.example.com.cert.pem -inkey www.example.com.key.pem -chain -CAfile ca-all.pem -out www.example.com.p12
Using any of the www.example.com.p12 output files from the above examples, I can verify with the following command:
openssl pkcs12 -in www.example.com.p12 -info -nodes | openssl verify -show_chain -CAfile ca.pem
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
stdin: OK
Chain:
depth=0: C = NZ, ST = Auckland, L = Auckland, O = XXXX, CN = www.example.com, emailAddress = [email protected] (untrusted)
depth=1: C = NZ, ST = Auckland, O = XXXX, CN = XXXX Development Intermediate CA, emailAddress = [email protected]
depth=2: C = NZ, ST = Auckland, L = Auckland, O = XXXX, CN = XXXX Development CA, emailAddress = [email protected]
Now to apply the above to your example, you have your certificate pem and key pem and you need to get the correct intermediate pem and root ca pem files. These are normally supplied by the CA that issued the certificate. You can also do it manually by using google.
Your intermediate certificate is: "Encryption Everywhere DV TLS CA - G1". Doing a search for "digicert Encryption Everywhere DV TLS CA - G1" gives be this page.
I would download the "PEM" version of the "Encryption Everywhere DV TLS CA - G1" certificate. On the same page you can also download the "DigiCert Global Root CA" PEM file as well.
Using the "openssl verify" command example above I would verify that I have the correct intermediate and root certificates.
Create the p12 file using any of the examples above (example 2 seems easier to me at this point).
Then I would verify the p12 file using the "openssl pkcs12 | openssl verify" command like I did with my example.
Upvotes: 1
Related Questions
- Creating a .p12 file
- Need a little help to generate p12 cert
- What is wrong with this pkcs12 file (pfx)
- No certificate matches private key while generating .p12 file
- I have p12 certificate when i am trying to convert it to cert.pem and key.pem. Key.pem is empty
- Converting .p12 to .pem in ubuntu
- OpenSSL Private Key Error when creating P12 Certificate
- Openssl certificate request failed
- OpenSSL certificate error
- Windows asks for p12 password when installing p12 key generated by openssl