PKI Tutorials - Herong's Tutorial Examples - Version 2.10, by Dr. Herong Yang
"bad decrypt:./crypto/evp/evp_enc.c:461" Error
This section provides a tutorial example on why OpenSSL 'pkcs12' failed with 'bad decrypt:./crypto/evp/evp_enc.c:461' error. The root cause is the key password different than file password.
When I was trying to export my private key from the KeyStore file, I encountered an file password issue, which is worth mentioning here.
See the OpenSSL error message displayed below:
C:\herong>\local\jdk\bin\keytool -importkeystore -srckeystore herong.jks -srcstoretype jks -srcstorepass HerongJKS -srcalias herongyang.com -destkeystore test.p12 -deststoretype pkcs12 -deststorepass TestP12 -destalias 1 C:\herong>\local\gnuwin32\bin\openssl pkcs12 -in Test.p12 -passin pass:TestP12 -nocerts -out test_key.pem -des -passout pass:TestKey MAC verified OK Error outputting keys and certificates 3812:error:06065064:digital envelope routines:EVP_DecryptFinal_ex: bad decrypt:./crypto/evp/evp_enc.c:461: 3812:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:./crypto/pkcs12/p12_decr.c:97: 3812:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i: pkcs12 pbe crypt error:./crypto/pkcs12/p12_decr.c:123:
So what's wrong with the PKCS12 file, Test.p12? Why OpenSSL can not decrypt my private key from Test.p12? Here is what I think:
Obviously, to avoid this problem, you have to set the key password and the file password with the same value with "keytool". See tutorials in previous sections on how to do this.
Last update: 2011.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
Using HTTPS with Google Chrome
Using HTTPS with Mozilla Firefox
HTTPS with IE (Internet Explorer)
Perl Scripts Communicating with HTTPS Servers
PHP Scripts Communicating with HTTPS Servers
Java Programs Communicating with HTTPS Servers
Windows Certificate Stores and Console
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
►PKI CA Administration - Issuing Certificates
Requesting and Signing Personal Certificate
Generating a Private-Public Key Pair for Amy
Generating a CSR (Certificate Signing Request)
Verifying Requester's Email Address
Exporting a Private Key from a KeyStore File
Signing a CSR into a Certificate
Importing Certificate Reply Back to KeyStore
►"bad decrypt:./crypto/evp/evp_enc.c:461" Error
Requesting and Signing Server Certificate
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
Digital Signature - OpenOffice.org 3