I took a look at the file Verisign returned based on my certificate request.
It does have the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
wrapping. I ran asn1parse on it and ended up with the following result, so
it seems to be a PKCS7 file.
0:d=0 hl=2 l=inf cons: SEQUENCE
2:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
13:d=1 hl=2 l=inf cons: cont [ 0 ]
15:d=2 hl=2 l=inf cons: SEQUENCE
17:d=3 hl=2 l= 1 prim: INTEGER :01
20:d=3 hl=2 l= 0 cons: SET
22:d=3 hl=2 l= 11 cons: SEQUENCE
24:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
35:d=3 hl=2 l=inf cons: cont [ 0 ]
37:d=4 hl=4 l= 598 cons: SEQUENCE
41:d=5 hl=4 l= 451 cons: SEQUENCE
45:d=6 hl=2 l= 16 prim: INTEGER
:4DCB46731D385295368C53C114F7B139
63:d=6 hl=2 l= 13 cons: SEQUENCE
65:d=7 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
76:d=7 hl=2 l= 0 prim: NULL
78:d=6 hl=2 l= 95 cons: SEQUENCE
80:d=7 hl=2 l= 11 cons: SET
82:d=8 hl=2 l= 9 cons: SEQUENCE
84:d=9 hl=2 l= 3 prim: OBJECT :countryName
89:d=9 hl=2 l= 2 prim: PRINTABLESTRING :US
93:d=7 hl=2 l= 32 cons: SET
95:d=8 hl=2 l= 30 cons: SEQUENCE
97:d=9 hl=2 l= 3 prim: OBJECT :organizationName
102:d=9 hl=2 l= 23 prim: PRINTABLESTRING :RSA Data Security, Inc.
127:d=7 hl=2 l= 46 cons: SET
129:d=8 hl=2 l= 44 cons: SEQUENCE
131:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName
136:d=9 hl=2 l= 37 prim: PRINTABLESTRING :Secure Server Certification
Auth
ority
175:d=6 hl=2 l= 30 cons: SEQUENCE
177:d=7 hl=2 l= 13 prim: UTCTIME :020814000000Z
192:d=7 hl=2 l= 13 prim: UTCTIME :040813235959Z
207:d=6 hl=2 l= 125 cons: SEQUENCE
209:d=7 hl=2 l= 11 cons: SET
211:d=8 hl=2 l= 9 cons: SEQUENCE
213:d=9 hl=2 l= 3 prim: OBJECT :countryName
218:d=9 hl=2 l= 2 prim: PRINTABLESTRING :US
222:d=7 hl=2 l= 14 cons: SET
224:d=8 hl=2 l= 12 cons: SEQUENCE
226:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
231:d=9 hl=2 l= 5 prim: PRINTABLESTRING :Texas
238:d=7 hl=2 l= 15 cons: SET
240:d=8 hl=2 l= 13 cons: SEQUENCE
242:d=9 hl=2 l= 3 prim: OBJECT :localityName
247:d=9 hl=2 l= 6 prim: T61STRING :Dallas
255:d=7 hl=2 l= 37 cons: SET
257:d=8 hl=2 l= 35 cons: SEQUENCE
259:d=9 hl=2 l= 3 prim: OBJECT :organizationName
264:d=9 hl=2 l= 28 prim: T61STRING :Kintetsu World Express (USA)
294:d=7 hl=2 l= 13 cons: SET
296:d=8 hl=2 l= 11 cons: SEQUENCE
298:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName
303:d=9 hl=2 l= 4 prim: T61STRING :KGIT
309:d=7 hl=2 l= 23 cons: SET
311:d=8 hl=2 l= 21 cons: SEQUENCE
313:d=9 hl=2 l= 3 prim: OBJECT :commonName
318:d=9 hl=2 l= 14 prim: T61STRING :xmlint.kwe.com
334:d=6 hl=3 l= 159 cons: SEQUENCE
337:d=7 hl=2 l= 13 cons: SEQUENCE
339:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption
350:d=8 hl=2 l= 0 prim: NULL
352:d=7 hl=3 l= 141 prim: BIT STRING
496:d=5 hl=2 l= 13 cons: SEQUENCE
498:d=6 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
509:d=6 hl=2 l= 0 prim: NULL
511:d=5 hl=2 l= 126 prim: BIT STRING
639:d=4 hl=2 l= 0 prim: EOC
641:d=3 hl=2 l= 0 cons: SET
643:d=3 hl=2 l= 0 prim: EOC
645:d=2 hl=2 l= 0 prim: EOC
647:d=1 hl=2 l= 0 prim: EOC
Upon finding that, I ran this command to change to PEM.
openssl pkcs7 -in file.pem -print_certs -out certs.pem
...and then tried to feed the resulting PEM to the original PKCS12 command I
was trying.
openssl pkcs12 -export -in key.pem -certfile certs.pem -out server.p12 -name
"Prod Forte Certificate"
Still complained about not being a certificate. I looke at the file and
noticed there were now some additional unencrypted lines of text in it. I
removed that and left the begin and end certificate wrappers, and retried.
Still the same result.
Error loading certificates from input
7925:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:662:Expect
ing: CERTIFICATE
Also, note, Verisign said this cert.cer file, is not what I give our client
for their requests. Obviously, I don't give them the key.pem or the
req.pem, and now not this, so what do I give them. We are doing server to
server comm, so I need to hand them a certificate to include with their
https requests.
Thanks in advance for any help.
David
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Bob Kupperstein
Sent: Wednesday, August 21, 2002 10:37 AM
To: [EMAIL PROTECTED]
Subject: RE: PKCS#12 and Verisign cert
I suggest:
- edit the certificate file and see if "CERTIFICATE" is indeed in the
first line, as your openssl pkcs12 command claims it doesn't see it.
- see if the asn1parse command can decipher the cert.
- try verifying it by specifying different cert formats to find out what
type it really is.
- try adding "------ BEGIN CERTIFICATE -------", "-------- END
CERTIFICATE --------" wrappers if not there (check number of dashes!).
-Bob
-----Original Message-----
From: David Iungerich [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 21, 2002 10:55 AM
To: [EMAIL PROTECTED]
Subject: RE: PKCS#12 and Verisign cert
The cert.cer file is the result of taking a request file in PEM format
(req.pem) and giving it's contents to Verisign for signing. According
to
Verisign, they send back in the same format. Question is, what did they
send back, and did I send the right thing. This is getting a bit
annoying
trying to come up with a server cert and client key to hand out. It
should
be so simple.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Dr. Stephen Henson
Sent: Tuesday, August 20, 2002 5:37 PM
To: [EMAIL PROTECTED]
Subject: Re: PKCS#12 and Verisign cert
On Tue, Aug 20, 2002, David Iungerich wrote:
> I have the following.
>
> key.pem - private key created with openssl.
> req.pem - CSR created with openssl.
> cert.cer - Signed cert returne from Verisign after sending them
req.pem.
>
> I need to find out what openssl commands to use to package this all up
in
a
> PKCS#12 file that my server requires. Anyone know the specific steps.
>
> I've tried the following, but I get the below error.
>
> openssl pkcs12 -export -in key.pem -certfile cert.cer -out
server.p12 -name
> "Prod Forte Certificate"
>
> I've also tried copying the certificate text in the e-mail that came
back
> from Verisign and placing that in a file with a .pem extension. Same
> result.
>
> Error loading certificates from input
> 20906:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:662:Expec
> ting: CERTIFICATE
>
What is in the .cer file? It probably isn't a certificate in PEM
format and may need converting.
Steve.
--
Dr. Stephen Henson [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
