>> That's us. :-) We're exploring the possibility of setting up a private CA
>> to support a small number of our PC's in an IPSEC configuration.
>>
>
> OK. Well if thats you, does that mean that you have the private key for
> the certificate it mentions?
Yes.
> If so it should be possible to decrypt the enveloped-data and get at the
> certificate request. There isn't an OpenSSL command line utility to do
> this yet. If its just a test private key and certificate then I could do
> this if you sent it to me. I'm curious to know what the decrypted bit
> inside looks like myself...
Here it is (and yes, it's all throw away / just for testing):
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,158F5CF23489115F
XYnZaAmV97AJY677MKFvR79gcPxL5aGQx87megBwagoH7+N0odzgE9bW/pleTc56
yd1PmEkHHamImY0IFsNBAHcvYaEKHFCUqEi9XHUESIKumbetNyCBp+XUVpj6DHEZ
kSmeHflCmSgB5Y8VItgNh39IO4lLQyZvXxOjxLYy8DGEErv/FFWRXD2Gs8p2Iwzu
quo39Nmi12EbhdsF9dslTwAN5/znF1wUehxleeOPGtSNDR3VFXbADjVLpAxoeYJZ
Y6gIJ2cPiT1Y08vlo7QL+i3SwLx24GkJBmyKkuCzGho59QGqFb6cMYaXVCoTI+tg
njAnhgJFBD+SZlCi0v5Z/rtdBmKd1WqGaKg+JunwWA9SYyXhIpSJQ9ZrMzyBQJXg
USIDgkXXmrp8yEDRxwly5EQ1bfK/RDp4GlMMe0tRLHG2ywftnrkfWq2xbhku4Fm8
Vh02GnMxjtKKo0ObRmrKa76Zve/T3nVNzKH5HFsypdn8jaIKJInaWl1bf9/hARYa
Al6qU/hUoUnEws3skGR2hNlRzvNK6IPYtKaHg6U7O+ueIiGufYhhnji4ySBzQu8T
aiVPPoBXDS7jGP72bUl5HWxzAu7XTg3Pm5fr1SCYnzG14ejnGyAetmiY2lLSvlqO
gzdIuG+RgssJ8QMgJMC6lv5pEACfTrW2cfznxci4XLsfxzkTqffOxJl7loZee+Sp
Tlqrww5nO7xpMhKvY/csOL6QAXacAD3g4F0+k7s3EyQZAs/6JKQKN1aQrDXm2k92
oOpPDusWguIxNy7b4gOEc44BoAGa7kdB/MujAfEhnMwncn1hCf2guw==
-----END RSA PRIVATE KEY-----
>> So it sounds like if I can dig the PKCS#10 request out of the PKCS#7 wrapper
>> then I should be able to use openssl to issue the certificate in the
>> normal fashion and the router should accept the new certificate.
>>
>
> You can but the inner stuff is encrypted so you need to decrypt it
> first... its encrypted using PKCS#7 enveloped-data and as I said OpenSSL
> doesn't have a utility to handle that at present.
Bummer.
>> Now what?
>
> Now it gets tricky. The only bit that is any real use is the public key.
> I assume you can't extract the private key corresponding to this
> request? If you can then either create your own request (and ignore the
> one it included) or turn the certificate into a request.
I see a command for displaying the Cisco 2501 public key. I do not
see a command for displaying the private key.
> Failing that it should be possible to manually dump the public key into
> a certificate but some extra code would be needed to do that, basically
> turning off various signature checks in the code because we don't have
> the proper private key and need to stuff something bogus in there.
>
> Before something yucky like that is attempted I'd suggest trying to
> decrypt the other stuff first.
Ok.
-- John
-------------------------------------------------------------------------
| Feith Systems | Voice: 1-215-646-8000 | Email: [EMAIL PROTECTED] |
| John Wehle | Fax: 1-215-540-5495 | |
-------------------------------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
