Steve, Just so I'm clear, what I hear you saying is that when I re-encrypt the RSA private key with the new password, that the error is not propagated to the new private key file and that corresponds to what I see when I subsequently decrypt the new encrypted private key because I no longer get the "No Octet..." warning message. That leaves me with the question of why IBM's DCM would fail when importing the output of the pkcs12 export. According to IBM's documentation, DCM requires validly formatted PKCS12 V2 files. The OpenSSL documentation doesn't mention V2, but does cite PFX, which I thought was generally considered to be V1, so the question arises are the PKCS#12 produced by OpenSSL V2?
Bob -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, April 22, 2009 12:42 PM To: openssl-users@openssl.org Subject: Re: A question about mal-formed private keys On Wed, Apr 22, 2009, Bob Barnes wrote: > I've been working with OpenSSL to try and convert an existing > private key generated by an old SSL software package and during the > process of using > PKCS8 to decrypt from the "Encrypted Private Key" to the "RSA Private > Key" I get an error "No Octet String in PrivateKey". My understanding > is that this is due to some improper encoding, which OpenSSL is able > to work around. I'm able to successfully re-encrypt the resulting > private key with a new password and to combine that private key with > the certificate chain using > PKCS12 into what appears to be a valid PKCS12 file, however, the > resulting file is not importable into IBM's DCM due to an "ASN1 > encoding error". I suspect that this may be due to the original > encoding problem, although I'm not certain. Assuming that's the case, > can someone give me an explanation of the "No Octet..." error and is > OpenSSL capable of correcting the original encoding problem either > during the original decryption or at some other point in the process or is that simply not possible. > The encoding error is just something OpenSSL tolerates in the key format. It is not propagated to other formats which use the right form. I'd suggest messing round with some of the options such as -nomaciter and alternative certificate and key encryption algorithms. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
