Reputation: 560
Adding Password to Passwordless PFX Using openssl
When exporting a PFX from an Azure Key Vault, the PFX is exported with no password (or it might be with an empty password).
I need to use openssl to add a password to the PFX file. From reading various sites, I need to extract the key and crt files and then re-combine them into one file but this time with a password. However, every attempt to read the passwordless PFX file results in an error.
140462554078016:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
140462554078016:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=PKCS12
I have tried the following variants and have included the error:
X:\Temp>openssl pkcs12 -in 443.pfx -nocerts -out 443.key
F8CB0000:error:068000A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto\asn1\tasn_dec.c:1188:
F8CB0000:error:0688010A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto\asn1\tasn_dec.c:349:Type=PKCS12
X:\Temp>openssl pkcs12 -in 443.pfx -out 443.key -passout pass: -passin pass:""
58860000:error:068000A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto\asn1\tasn_dec.c:1188:
58860000:error:0688010A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto\asn1\tasn_dec.c:349:Type=PKCS12
X:\Temp>openssl pkcs12 -in 443.pfx -out 443.key -passin pass:""
FCAA0000:error:068000A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto\asn1\tasn_dec.c:1188:
FCAA0000:error:0688010A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto\asn1\tasn_dec.c:349:Type=PKCS12
X:\Temp>openssl pkcs12 -in 443.pfx -out 443.key -passin pass:
40A90000:error:068000A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto\asn1\tasn_dec.c:1188:
40A90000:error:0688010A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto\asn1\tasn_dec.c:349:Type=PKCS12
X:\Temp>openssl pkcs12 -in 443.pfx -out 443.key -passin
pkcs12: Option -passin needs a value
pkcs12: Use -help for summary.
X:\Temp>openssl pkcs12 -in 443.pfx -out 443.key -passin pass:abc
58B50000:error:068000A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto\asn1\tasn_dec.c:1188:
58B50000:error:0688010A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto\asn1\tasn_dec.c:349:Type=PKCS12
X:\Temp>openssl pkcs12 -in 443.pfx -out 443.key -nodes
80940000:error:068000A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto\asn1\tasn_dec.c:1188:
80940000:error:0688010A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto\asn1\tasn_dec.c:349:Type=PKCS12
The PFX itself starts with
MIINhgIBAzCCDUIGCSqGSIb3DQEHAaC
and ends with
rMdLz4AGINAgIH0A==
I can sucessfully import the PFX into Windows (at the Password prompt I just press return and it imports the PFX).
What are are the openssl commands to extract the key and crt files?
Upvotes: 0
Views: 1338
Answers (1)
Reputation: 75
Generally, PFX files are generated without a password. When importing and being asked for a password this can normally be left blank. Some systems insist that a password is entered.
Therefore we recommend regenerating the PFX file with a password. This can be done using OpenSSL
First convert the PFX file to PEM.
openssl pkcs12 -in cert.pfx -out cert.pem -nodes
Then convert the PEM file back to PFX and specify a password
openssl pkcs12 -export -out cert.pfx -in cert.pem
Enter Export Passord:
Verifying - Enter Export Password:
I checked and it is workign fine and I am using pfx file with password
Upvotes: 0
Related Questions
- How to install OpenSSL in windows 10?
- Converting pfx to pem using openssl
- Error reading private key file using openssl lib
- converting .cer to .pem returns error 'unable to load certificate'
- OpenSSL error generating a CSR from a private key
- Trying to set up freeradius in eap-tls mode using wpa supplicant
- Private Key changes between exports from a .PFX (PKCS#12) File