2
OpenSSL 1.0.1e 11 Feb 2013
Generating a self-signed certificate:
openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem -days 365
During the process a PEM passphrase is requested:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
There are 2 resulting files after successful completion in PEM format:
key.pem, cert.pem
The private key (key.pem) is in PKCS#8 format and the starting line reads:
-----BEGIN ENCRYPTED PRIVATE KEY-----
Now I am trying to combine the certificate, as well as the related private key, into a PKCS#12 keystore and protect the keystore with a password. Note - from my understanding this should effectively enforce requesting a password during read access, as well as a passphrase for the private key of the according entry:
openssl pkcs12 -export -inkey key.pem -in cert.pem -out keystore.p12
Upon execution I am asked of the following:
Enter pass phrase for key.pem:
Enter Export Password:
Verifying - Enter Export Password:
However, it is my understanding that the passphrase should remain intact for the private key that is now being stored in the keystore.p12 file. Here is how I try to read the contents of the keystore:
openssl pkcs12 -nodes -info -in keystore.p12
The output I get (only related to protecting the keystore with a password):
Enter Import Password:
And lists the certificate, as well as the private key, in PEM format without requesting the passphrase for the latter. That is basically the problem. The PEM passphrase is no longer there for the private key. What am I doing wrong or how can I fix this? Thank you.
I am pretty sure I was prompted to enter a PEM passphrae once when I -info on a couple of .p12 files (I can't seem to replicate the exact steps I performed to trigger it though, hence why I posted) – XXL – 2013-12-06T00:47:19.917
Try the same with NSS certutil and pk12util... you will get the same behavior as I mentioned. If was asked for PEM pass, it was when you were exporting things from PKCS12... and storing them encoded in PEM format. -info is
give info about PKCS#12 structure
, not export. – nudzo – 2013-12-06T19:22:28.317I am only using -info to list the contents of the keystore and I assure you that I was requested to enter a PEM passphrase when doing so (I am not dreaming, hence why I'm giving out bounty on this question) - SafeBag containers should carry a password aswell. – XXL – 2013-12-08T17:05:40.707
Coincidentally I had to do some cert updates yesterday and realized what your questions is about... answer above in edit. – nudzo – 2013-12-08T21:11:06.970
I think you cracked it :) I've only got 1 question left - is JKS expected to behave the same way, as in, it also doesn't support protecting cert/privkey pairs with a standalone password? Maybe you've come across it aswell at some point by chance – XXL – 2013-12-08T21:53:43.613