PKI Certificate Tutorials - Herong's Tutorial Examples - v1.12, by Herong Yang
"openssl pkcs12 -export" - Limitations and Errors
This section provides tutorial examples showing limitations and errors of the 'openssl pkcs12 -export' command.
The following examples show you some limitations and errors of the "openssl pkcs12 -export" command.
1. "No certificate matches private key" Error - At least one certificate is required, and it must match the input key pair. So we can not convert a key pair from PEM to PKCS12 format with "openssl pkcs12" command.
herong$ openssl pkcs12 -export \ -in key.pem -passin pass:TopSecret \ -out error.p12 -passout pass:TopSecret No certificate matches private key
2. "Unable to load private key" Error - A private/public key pair is required from the input. So we can not convert a certificate from PEM to PKCS12 format with "openssl pkcs12" command.
herong$ openssl pkcs12 -export -in hy-cert.pem \ -out error.p12 unable to load private key 82991:error:0906D06C:PEM routines:PEM_read_bio:no start line: /.../crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY
3. "No certificate matches private key" Error - The input private key pair does not match any input certificates.
herong$ openssl pkcs12 -export -in root-cert.pem \ -inkey key.pem -passin pass:TopSecret \ -out error.p12 -passout pass:TopSecret No certificate matches private key
4. Adding unrelated certificates to PKCS12 bundle is allowed.
herong$ openssl pkcs12 -export -in hy-cert-2.pem \ -inkey key.pem -passin pass:TopSecret \ -certfile root-cert.pem \ -out mix-cert-bundle.p12 -passout pass:TopSecret herong$ openssl pkcs12 \ -in mix-cert-bundle.p12 -passin pass:TopSecret \ -out mix-cert-bundle.pem -passout pass:TopSecret herong$ more mix-cert-bundle.pem Bag Attributes localKeyID: A7ECD0EC2C377017B62F5BF01A1A66F6B23357CB subject=/C=ZZ/CN=Herong Yang issuer=/C=ZZ/CN=ZZ Intermediate CA -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Bag Attributes: <No Attributes> subject=/C=ZZ/CN=ZZ Root CA issuer=/C=ZZ/CN=ZZ Root CA -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Bag Attributes localKeyID: A7ECD0EC2C377017B62F5BF01A1A66F6B23357CB Key Attributes: <No Attributes> -----BEGIN EC PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,62E4D3AD9DB7FF03 ... -----END EC PRIVATE KEY-----
5. If multiple input key pairs are provided, only the first one is taken into the PKCS12 bundle.
herong$ cat root-key.pem root-cert.pem hy-key.pem hy-cert.pem \ > mix-input.pem herong$ openssl pkcs12 -export \ -in mix-input.pem -passin pass:TopSecret \ -out mix-key-bundle.p12 -passout pass:TopSecret herong$ openssl pkcs12 \ -in mix-key-bundle.p12 -passin pass:TopSecret \ -out mix-key-bundle.pem -passout pass:TopSecret herong$ more mix-key-bundle.pem Bag Attributes localKeyID: 3A84C0BCFBD028A9603FD1D8B2298224F50B8BC2 subject=/C=ZZ/CN=ZZ Root CA issuer=/C=ZZ/CN=ZZ Root CA -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Bag Attributes: <No Attributes> subject=/C=ZZ/CN=Herong Yang issuer=/C=ZZ/CN=ZZ Root CA -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Bag Attributes localKeyID: 3A84C0BCFBD028A9603FD1D8B2298224F50B8BC2 Key Attributes: <No Attributes> -----BEGIN EC PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,783A892618782C58 ... -----END EC PRIVATE KEY-----
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
►PKCS12 Certificate Bundle File
"openssl pkcs12 -export" - Certificate and Key Bundle
"openssl pkcs12 -export" - Certificate Chain and Key Bundle
"openssl pkcs12 -export" - 3-Level Certificate Chain and Key Bundle
►"openssl pkcs12 -export" - Limitations and Errors
"keytool -genkeypair" - Certificate and Key Bundle
"keytool -importcert" - Certificate-Only Bundle
"keytool -storetype pkcs12" - Limitations and Errors
ASN.1 Data Structure of PKCS13 File