On Thu, Oct 23, 2014, Gregory Sloop wrote: > Ok, so I know this isn't strictly an OpenSSL question, so I apologize - but > I'd guess someone here knows the answer, or can direct me to the correct > resource. [I've done a lot of searches, but no real luck.] > > I'm trying to import both a private key and certificate generated with > OpenSSL into a Windows client. [Lets assume Win7 and 8] > It looks like p12 files are probably the best way to go. [Glad to stand > corrected, but that's what it looks like to me.] > > So, I've cranked out a p12 file [converted from seperate PEM files, also > initially generated with OpenSSL] with the client-private-key and client-cert > inside. > (Like so: openssl pkcs12 -keypbe aes-256-cbc -export -inkey infile.key -in > infile.crt -out outfile.p12) > > I initially tried encrypting it with "-keypbe aes-256-cbc" - however Windows > barfs on it. [This should encrypt the p12 with AES-256, I think.] > > > I did it again, using "-descert" [which, AFAICT should encrypt with 3DES] > (Like so: openssl pkcs12 -descert -export -inkey infile.key -in infile.crt > -out outfile.p12) > > Windows likes this second one. > > While 3DES is probably "good enough" - I'd rather use AES-256. > > So the root of my question is: > 1) What formats can Windows [7/8] accept? [Pointers somewhere would be good - > google didn't help me find much.] > 2) Is there some reasonable way to generate/convert the key/cert using > OpenSSL, to use something better than 3DES that Windows will accept? >
Well PKCS#12 is rather an old standard. It includes its own key derivation algorithm and OIDs. Specifically: pbeWithSHAAnd128BitRC4 pbeWithSHAAnd40BitRC4 pbeWithSHAAnd3-KeyTripleDES-CBC pbeWithSHAAnd2-KeyTripleDES-CBC pbeWithSHAAnd128BitRC2-CBC pbewithSHAAnd40BitRC2-CBC When you use -descert you end up using pbeWithSHAAnd3-KeyTripleDES-CBC for certificates and that same algorithm is used by default for private keys. For AES a different key derivation algorithm can be used which is part of PKCS#5 v2.0. Some implementations may only use the algorithms in the PKCS#12 standard itself which would explain the problems you were having. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
