I have followed the steps listed here to create a new private key and certificate. Now I am trying to combine them into a .pfx file.
OpenSSL should be able to read in both the private key and the certificate from a single file, and according the man man docs, should also be able to read from stdin. However, this doesn't seem to be working for me.
On Mac OS X 10.14.3 and openssl version gives "LibreSSL 2.6.5".
I combined my certificate and key into one file (called 'combined.pem'). I did this with the following commands:
$ openssl genrsa -out private.key 2048
$ openssl req -new -x509 -key private.key -out public.cer -days 365
$ cat public.cer >> combined.pem
$ cat private.key >> combined.pem
For reference, combined.pem looks something like this:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
When I run the following command, everything works fine:
$ openssl pkcs12 -export -out x509.pfx -in combined.pem
When I run this command, I get an error:
$ openssl pkcs12 -export -out x509.pfx < combined.pem
unable to load certificates
I have also tried:
$ cat combined.pem | openssl pkcs12 -export -out x509.pfx
unable to load certificates
What am I missing? Is OpenSSL not really able to read from stdin for this?
Also, from the man docs:
     -in file
           The input file to read from, or standard input if not specified.  The order doesn't matter but one private key and its corresponding certificate should
           be present.  If additional certificates are present, they will also be included in the PKCS#12 file.
     -inkey file
           File to read a private key from.  If not present, a private key must be present in the input file.
Standard Input (stdin) echo -n "text to hash" | openssl ALGORITHM. The -n option makes sure that no trailing newline character is added to the text.
The private key could not be read from the certificate file. Check the following: 1) The password was entered correctly. 2) The certificate file contains one or more certificates. 3) The certificate file contains the correct certificate(s).
The x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a "mini CA" or edit certificate trust settings. Since there are a large number of options they will split up into various sections.
The truth is - it depends on the exact openssl command.
For the openssl crl it was enough to omit -in param:
curl -s ${VAULT_ADDR}/v1/pki/crl 2>&1 | openssl crl -inform der -noout -text
For the openssl x509 you must supply -in - param:
curl -s ${VAULT_ADDR}/v1/pki/ca 2>&1 | openssl x509 -text -noout -nameopt multiline,show_type -in -
I guess my suggestion is to test one of these two in your particular case.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With