OpenSSL is really nice, but remembering all these command-line switches is difficult, especially when you do not use them often enough.
I don’t, and when I do there are a few common tasks I perform, and I was glad to find a few links with great information:
- Tips : Using openssl to extract private key ( .pem file) from .pfx (Personal Information Exchange) | Cycure.
- SSL Converter – Convert SSL Certificates to different formats.
- The Most Common OpenSSL Commands.
- OpenSSL Command-Line HOWTO.
- Powerpoint presentation: http://web.cs.dal.ca/~tt/ECMM6010/presentations/OpenSSL.ppt.
- How to Convert certificates between PEM, DER, P7B/PKCS#7, PFX/PKCS#12 | My Online Storage of Knowledge.
- Convert a CERT/PEM certificate to a PFX certificate – Stack Overflow.
- DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them.
- Knowledge Sharing…: Extracting Public Certificate and Private Key From PFX File.
- Verifying that a Private Key Matches a Certificate.
- Verifying that a Certificate is issued by a CA / encryption – How do you test a public/private keypair? – Stack Overflow.
- Tech Talk @ N3TLab.com: OpenSSL Windows – How to install, use and generate a SSL certificate.
(which also fixes the “WARNING: can’t open config file: /usr/local/ssl/openssl.cnf”). - ssl – What kind of private key is located in a PKC12 pfx file? – Stack Overflow.
( I’ve included this one because it explains the concept of X509, CA’s and private keys well). - Sending S/MIME email using OpenSSL.
- OpenSSL: Documents, openssl(1), as I always forget this nice list of commands:
openssl [ list-standard-commands | list-message-digest-commands | list-cipher-commands | list-cipher-algorithms | list-message-digest-algorithms | list-public-key-algorithms] - Secure E-Mail: Problems, Standards, and Prospects – The Internet Protocol Journal – Volume 2, No. 1 – Cisco Systems:
The OpenSSL documentation does not explain clear versus opaque signing. I prefer the latter as the whole email gets encapsulated in a base64 blob, so intermediate gateways have a much harder job messing around with the content. - Certificate Installation with OpenSSL – Other People’s Certificates.
I’ve converted them to batch files that run fine when copied to the directory where you put the x86 or x64 Windows version of OpenSSL (they assume %~dp0openssl.exe for the location of the OpenSSL.exe binary, just in case it is not on the path, or you have various tools that scattered around incompatible copies of OpenSSL binaries).
OpenSSL defaults to PEM format (that has text base64 strings), so if you get DER format (binary) you need to convert them.
A few errors I got and what they mean
Error decrypting PKCS#7 structure
Error decrypting PKCS#7 structure
5216:error:21070073:PKCS7 routines:PKCS7_dataDecode:no recipient matches certificate:.\crypto\pkcs7\pk7_doit.c:538:
5216:error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error:.\crypto\pkcs7\pk7_smime.c:557:
This error means that the recipient of the email does not match the certificate you pass in. What happens is that OpenSSL tries to decrypt the mail, it cannot match the certificate to the mail, and barfs. It usually happens when you have From/To reversed by accident.
Error decrypting PKCS#7 structure
Error decrypting PKCS#7 structure
4948:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:.\crypto\x509\x509_cmp.c:330:
4948:error:2107207F:PKCS7 routines:PKCS7_decrypt:private key does not match certificate:.\crypto\pkcs7\pk7_smime.c:552:
This means somewhere you mixed up a private and public key in the certificate files.
Use something like the OpenSSL wrapper verify-private-key-matches-certificate-x509-pem-cer.bat to verify them.
Error reading S/MIME message
Error reading S/MIME message
6900:error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data:.\crypto\asn1\a_d2i_fp.c:251:
6900:error:0D0D106E:asn1 encoding routines:B64_READ_ASN1:decode error:.\crypto\asn1\asn_mime.c:193:
6900:error:0D0D40CB:asn1 encoding routines:SMIME_read_ASN1:asn1 parse error:.\crypto\asn1\asn_mime.c:528:
OpenSSL does not like .EML files to end with a period (. which SMTP needs to process when sending an .EML file).
See https://gist.github.com/anonymous/7233372 and https://gist.github.com/anonymous/7233329
The former throws this error, the latter not. This is not caused the width of the base64 encoding (not yet archived at the WayBack machine), which I initially thought, but the terminating period.
Verification failure
Verification failure
8228:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:.\crypto\pkcs7\pk7_smime.c:342:Verify error:self signed certificate in certificate chai
n
–jeroen
The Wiert Corner - irregular stream of stuff 