PKI Tutorials - Herong's Tutorial Examples - Version 2.10, by Dr. Herong Yang

PKI Tutorials - Herong's Tutorial Examples

∟PKI CA Administration - Issuing Certificates

∟"bad decrypt:./crypto/evp/evp_enc.c:461" Error

When I was trying to export my private key from the KeyStore file, I encountered an file password issue, which is worth mentioning here.

See the OpenSSL error message displayed below:

C:\herong>\local\jdk\bin\keytool -importkeystore 
   -srckeystore herong.jks -srcstoretype jks -srcstorepass HerongJKS
   -srcalias herongyang.com
   -destkeystore test.p12 -deststoretype pkcs12 -deststorepass TestP12
   -destalias 1

C:\herong>\local\gnuwin32\bin\openssl pkcs12 -in Test.p12 
   -passin pass:TestP12 -nocerts -out test_key.pem 
   -des -passout pass:TestKey

MAC verified OK
Error outputting keys and certificates
3812:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:
   bad decrypt:./crypto/evp/evp_enc.c:461:
3812:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 
   cipherfinal error:./crypto/pkcs12/p12_decr.c:97:
3812:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:
   pkcs12 pbe crypt error:./crypto/pkcs12/p12_decr.c:123:

So what's wrong with the PKCS12 file, Test.p12? Why OpenSSL can not decrypt my private key from Test.p12? Here is what I think:

• In the original KeyStore file, Herong.jks, there are 2 separate passwords used: a. Key password, "HerongJKS", used to encrypt my private key; b. File password, "HerongJKS", used to encrypt the entire KeyStore file.
• In my "keytool -importkeystore" command, I did not specify the source key password. But "keytool" is smart enough to use the source file password to decrypt the private key.
• Also in my "keytool -importkeystore" command, I did not specify the destination key password. But "keytool" is stupid enough to reuse the source key password as the destination key password. "keytool" generate the destination PKCS12 file, Test.p12, with 2 different passwords: a. Key password, "HerongJKS", used to encrypt my private key; b. File password, "TestP12", used to encrypt the entire PKCS12 file.
• When executed the OpenSSL "pkcs12" command, I only specified the PKCS12 file password, "TestP12". There is no option for me to specify the key password, which is different than the file password. This is causing "pkcs12" command to fail.

Obviously, to avoid this problem, you have to set the key password and the file password with the same value with "keytool". See tutorials in previous sections on how to do this.

Last update: 2011.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with Google Chrome

 Using HTTPS with Mozilla Firefox

 HTTPS with IE (Internet Explorer)

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

 Java Programs Communicating with HTTPS Servers

 Windows Certificate Stores and Console

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

►PKI CA Administration - Issuing Certificates

 Root CA and Intermediate CA

 Requesting and Signing Personal Certificate

 Generating a Private-Public Key Pair for Amy

 Generating a CSR (Certificate Signing Request)

 Verifying Requester's Email Address

 Exporting a Private Key from a KeyStore File

 Signing a CSR into a Certificate

 Importing Certificate Reply Back to KeyStore

►"bad decrypt:./crypto/evp/evp_enc.c:461" Error

 Requesting and Signing Server Certificate

 Comodo Free Personal Certificate

 Digital Signature - Microsoft Word

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Outdated Tutorials

 References

 Full Version in PDF/EPUB

"bad decrypt:./crypto/evp/evp_enc.c:461" Error - Updated in 2018, by Dr. Herong Yang