The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream




    More Photos
  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,692 other followers

Archive for February 27th, 2015

Some command-line tips for OpenSSL and file format (pfx, p12, cer, crt, key, etc.) conversion of certificates, keys

Posted by jpluimers on 2015/02/27

OpenSSL is really nice, but remembering all these command-line switches is difficult, especially when you do not use them often enough.

I don’t, and when I do there are a few common tasks I perform, and I was glad to find a few links with great information:

I’ve converted them to batch files that run fine when copied to the directory where you put the x86 or x64 Windows version of OpenSSL (they assume %~dp0openssl.exe for the location of the OpenSSL.exe binary, just in case it is not on the path, or you have various tools that scattered around incompatible copies of OpenSSL binaries).

OpenSSL defaults to PEM format (that has text base64 strings), so if you get DER format (binary) you need to convert them.

A few errors I got and what they mean

Error decrypting PKCS#7 structure

Error decrypting PKCS#7 structure
5216:error:21070073:PKCS7 routines:PKCS7_dataDecode:no recipient matches certificate:.\crypto\pkcs7\pk7_doit.c:538:
5216:error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error:.\crypto\pkcs7\pk7_smime.c:557:

This error means that the recipient of the email does not match the certificate you pass in. What happens is that OpenSSL tries to decrypt the mail, it cannot match the certificate to the mail, and barfs. It usually happens when you have From/To reversed by accident.

Error decrypting PKCS#7 structure

Error decrypting PKCS#7 structure
4948:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:.\crypto\x509\x509_cmp.c:330:
4948:error:2107207F:PKCS7 routines:PKCS7_decrypt:private key does not match certificate:.\crypto\pkcs7\pk7_smime.c:552:

This means somewhere you mixed up a private and public key in the certificate files.

Use something like the OpenSSL wrapper verify-private-key-matches-certificate-x509-pem-cer.bat to verify them.

Error reading S/MIME message

Error reading S/MIME message
6900:error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data:.\crypto\asn1\a_d2i_fp.c:251:
6900:error:0D0D106E:asn1 encoding routines:B64_READ_ASN1:decode error:.\crypto\asn1\asn_mime.c:193:
6900:error:0D0D40CB:asn1 encoding routines:SMIME_read_ASN1:asn1 parse error:.\crypto\asn1\asn_mime.c:528:

OpenSSL does not like .EML files to end with a period (. which SMTP needs to process when sending an .EML file).
See and
The former throws this error, the latter not. This is not caused the width of the base64 encoding (not yet archived at the WayBack machine), which I initially thought, but the terminating period.

Verification failure

Verification failure
8228:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:.\crypto\pkcs7\pk7_smime.c:342:Verify error:self signed certificate in certificate chai


Posted in OpenSSL, Power User, Security, Windows, Windows 7, Windows 8, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows XP | Leave a Comment »

%d bloggers like this: