Trying convert webserver certificate to PEM file for wireshark to monitor ssl traffic in HTTP format

1

1

I am trying to monitor https traffic as readable HTML.

I have downloaded the certificate from the server.

"In Internet Explorer, I selected the certificate and copy to file, DER encoded binary X.509 (cer)"

I run this command it works:

openssl x509 -inform der -in Test3.cer -out key.cert

And I get a file key.cert with:

--BEGIN CERTIFICATE.

...

For information, I run this command I get pretty output about the cert:

openssl x509 -in key.cert -noout -text

According to the docs, I need to have a key.pem, private/key file.

So I try to run his command, I think to get a der output format.

openssl base64 -in key.cert -out 1.der

... And then I run this to get the pem file and I get this error:

Error reading key 6072:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:648:Expect ing: ENCRYPTED PRIVATE KEY

openssl pkcs8 -in 1.der -out temp.pem

--- I tried this also

$ openssl pkcs8 -topk8 -inform der -in 1.der -out temp.pem
unable to load key
2752:error:0D094065:asn1 encoding routines:d2i_ASN1_SET:bad class:a_set.c:190:
2752:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:
1315:
2752:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:ta
sn_dec.c:379:Type=RSA
2752:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:99:

Berlin Brown

Posted 2011-12-02T17:03:34.610

Reputation: 131

Answers

1

To decrypt the traffic, you need both the private key and the certificate. The key is stored (hopefully securely) on the webserver, and is used in conjunction with the certificate to authenticate itself to you, the user.

The commands you're running won't work without the private key. The output above from openssl base64 -in key.cert -out 1.der tells you this when it says it's expecting an encrypted private key, whereas you're providing it with a certificate.

If you're trying to decrypt traffic between yourself and a webserver you have access to, get the private key from the webserver. If it's not your webserver, then you won't be able to decrypt the traffic - that's the whole point of SSL/TLS.

Andy Smith

Posted 2011-12-02T17:03:34.610

Reputation: 691

How does the browser send that information encrypted without the key? What commands do I need to run once I get the key (and I already have the certificate). – Berlin Brown – 2011-12-02T17:28:11.947

The handshaking between server and client is more detailed than I can describe in a comment - have a look at http://en.wikipedia.org/wiki/Transport_Layer_Security for more details. If they key/certificate are unencrypted, then you can just copy and paste them both into the same file. Have a look at http://www.madboa.com/geek/openssl for more.

– Andy Smith – 2011-12-02T17:39:15.357

Asked: 2011-12-02T17:03:34.610

Viewed: 1 886 times

Active: 2011-12-02T17:24:02.857