2

OpenSSL 1.0.1e 11 Feb 2013

Generating a self-signed certificate:

openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem -days 365

During the process a PEM passphrase is requested:

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

There are 2 resulting files after successful completion in PEM format:

key.pem, cert.pem

The private key (key.pem) is in PKCS#8 format and the starting line reads:

-----BEGIN ENCRYPTED PRIVATE KEY-----

Now I am trying to combine the certificate, as well as the related private key, into a PKCS#12 keystore and protect the keystore with a password. Note - from my understanding this should effectively enforce requesting a password during read access, as well as a passphrase for the private key of the according entry:

openssl pkcs12 -export -inkey key.pem -in cert.pem -out keystore.p12

Upon execution I am asked of the following:

Enter pass phrase for key.pem:
Enter Export Password:
Verifying - Enter Export Password:

However, it is my understanding that the passphrase should remain intact for the private key that is now being stored in the keystore.p12 file. Here is how I try to read the contents of the keystore:

openssl pkcs12 -nodes -info -in keystore.p12

The output I get (only related to protecting the keystore with a password):

Enter Import Password:

And lists the certificate, as well as the private key, in PEM format without requesting the passphrase for the latter. That is basically the problem. The PEM passphrase is no longer there for the private key. What am I doing wrong or how can I fix this? Thank you.

XXL
  • 1,469
  • 4
  • 20
  • 34

1 Answers1

5

There's nothing wrong. That's how PKCS12 works. PKCS12 is format for securely transporting certificate chains and private keys between tokens. Protection/encryption of private key is done by passphrase you entered when asked for 'Enter Export Password'. Nothing like twice encrypted keys.

EDIT: Omit -nodes option. That turns off encryption of private key.

nudzo
  • 238
  • 2
  • 7
  • I am pretty sure I was prompted to enter a **PEM passphrae** once when I **-info** on a couple of **.p12** files (I can't seem to replicate the exact steps I performed to trigger it though, hence why I posted) – XXL Dec 06 '13 at 00:47
  • Try the same with NSS certutil and pk12util... you will get the same behavior as I mentioned. If was asked for *PEM pass*, it was when you were exporting things from PKCS12... and storing them encoded in PEM format. *-info* is `give info about PKCS#12 structure`, not export. – nudzo Dec 06 '13 at 19:22
  • I am only using **-info** to list the contents of the keystore and I assure you that I was requested to enter a **PEM** passphrase when doing so (I am not dreaming, hence why I'm giving out bounty on this question) - **SafeBag** containers **should** carry a password aswell. – XXL Dec 08 '13 at 17:05
  • Coincidentally I had to do some cert updates yesterday and realized what your questions is about... answer above in edit. – nudzo Dec 08 '13 at 21:11
  • I think you cracked it :) I've only got 1 question left - is **JKS** expected to behave the same way, as in, it also doesn't support protecting cert/privkey pairs with a standalone password? Maybe you've come across it aswell at some point by chance – XXL Dec 08 '13 at 21:53