0

I have a private key together with a certificate in a pem file. The part of the private key starts with:

-----BEGIN ENCRYPTED PRIVATE KEY-----

I have a passphrase for it.

I need to bring it back to the standard format:

-----BEGIN RSA PRIVATE KEY-----

I tried different commands:

  1. Decrypt the key from original file:

    openssl rsa -in cert+key.pem -out keydecry.pem

  2. Copy only the Key part in an extra file pem file and run same command:

    openssl rsa -in key.pem -out keydecry.pem

  3. use the pcks8 command:

    openssl pkcs8 -in key.pem -out keydecry.pem

I got always same error:

Enter pass phrase for key.pem:
unable to load Private Key
7308:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1198:
7308:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\
crypto\asn1\tasn_dec.c:372:Type=X509_ALGOR
7308:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 e
rror:.\crypto\asn1\tasn_dec.c:694:Field=pkeyalg, Type=PKCS8_PRIV_KEY_INFO
7308:error:2306A065:PKCS12 routines:PKCS12_item_decrypt_d2i:decode error:.\crypt
o\pkcs12\p12_decr.c:159:
7308:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:.\crypto\pem\p
em_pkey.c:141:

I tested with Openssl 0.9 on linux and 1.0.1 on windows (both 32 bit and 64 bit). If I try the asn1parser it works:

openssl asn1parse -in key.pem 


    0:d=0  hl=4 l=1233 cons: SEQUENCE
    4:d=1  hl=2 l=  27 cons: SEQUENCE
    6:d=2  hl=2 l=   9 prim: OBJECT            :pbeWithMD5AndDES-CBC
   17:d=2  hl=2 l=  14 cons: SEQUENCE
   19:d=3  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:7BFD38372A5E0A60
   29:d=3  hl=2 l=   2 prim: INTEGER           :0800
   33:d=1  hl=4 l=1200 prim: OCTET STRING      [HEX DUMP]:36971F7945F8FE55C8F327
E849AB2B97957DF42D7C9691AB06DCE939BA37F64C09E5807D0BC22AE25E4D990D449B6967EDC35E......
Jens Erat
  • 23,446
  • 12
  • 72
  • 96
vistamare
  • 1
  • 1
  • 1
  • Have you try: openssl rsa -in key.pem -outform PEM -out keydecry.pem – Romeo Ninov Jun 08 '15 at 05:33
  • That shouldn't happen unless the generation (particularly encryption) had a bug or the ciphertext portion of the PKCS8 has been altered (probably by mistake). If this file/portion is a copy compare it to the original; if it's the original and you have a backup or other copy compare to that. If the key generation is a process you can repeat, try that; if you can reproduce the problem on a test key & password that is okay to expose, show those in full. I notice the length suggests the wrapped RSA key has a "size" (modulus) of about 2016 bits; although legal, this is a very unusual choice. ... – dave_thompson_085 Jun 09 '15 at 06:59
  • ... For info, all `openssl` commandline operations that read a *PEM* privatekey, which this is, go through the same library routine and only after the read is complete do different things with the result, so getting the exact same error for different read attempts is expected. – dave_thompson_085 Jun 09 '15 at 07:01

0 Answers0