1

I have an application that needs to communicate with the bank for online transactions. I am using OpenSSL 3.0.8.7 in Windows 11. I generated a private key using:

openssl genrsa -out rsa_key.pem 2048

Then a Certifate Signing Request using:

openssl req -new -key rsa_key.pem -out csr.pem -subj "[REDACTED]"

I sent the CSR to the bank and received back a signed certificate (signed_cert.pem) and the bank CA (ca.pem). I am trying to create a pkcs#12 keystore to use in my application using

openssl pkcs12 -export -CAfile ca.pem -inkey rsa_key.pem -certfile signed_cert.pem -passout pass:[REDACTED] -out keystore.p12

When I do OpenSSL gives no output, but just keeps running until I kill the process. No output, no errors. What am I doing wrong?

objecttothis
  • 39
  • 2
  • You can try adding the -nodes and/or -debug – Wahyu Kristianto Feb 16 '23 at 14:59
  • Suggesting to export this question to: https://security.stackexchange.com/ because this is chiefly concerned with the OpenSSL tool and doesn't require any specific Crypto expertise. (Currently there is no option to suggest this via a flag, and I think there should be). – Amit Feb 16 '23 at 15:21
  • I've printed the value of the modulus of all three and they all come out the same... I think that means that the keys are compatible. I would also guess if one was corrupted that it would not have generated the same modulus. -debug doesn't work. I tried adding -nodes (deprecated) but there was no difference. – objecttothis Feb 16 '23 at 17:19
  • You should supply at least the cert (signed_cert.pem) as -in, or by redirecting stdin. If you don't do either, openssl pkcs12 waits for you to manually enter the cert which you didn't and probably can't. As you found in your self-answer you may also include the key on -in/stdin (first) instead of using -inkey, and the CA/chain cert(s) instead of using -certfile. But this isn't really cryptography. -nodes on pkcs12 -export is ignored and does nothing. – dave_thompson_085 Feb 17 '23 at 00:35
  • 1
    @Amit This kind of tool usage is actually more for [su], just so that you know. – Maarten Bodewes Feb 17 '23 at 14:11
  • Thank you @dave_thompson_085 for the explanation. I didn't quite realize that StackExchange separated Cryptography and Information Security. Yes, it is not strictly Cryptography. It's interesting to me that OpenSSL gives you no indication that it's waiting for anything. The documentation isn't clear to me that I should have used -in rather than -certfile for signed_cert.pem. – objecttothis Feb 19 '23 at 22:20

1 Answers1

2

While I was never able to get this to work as I was trying to use it, I switched over to a freeBSD machine then ran

cat rsa_key.pem > combined.pem
cat signed_cert.pem >> combined.pem
cat ca.pem >> combined.pem

Then ran

openssl pkcs12 -export -in combined.pem -out keystore.p12

That worked correctly. Not sure what's wrong with the initial syntax, but oh well.

objecttothis
  • 39
  • 2