"openssl pkcs12 -export" - Limitations and Errors

PKI Certificate Tutorials - Herong's Tutorial Examples

∟"openssl pkcs12 -export" - Limitations and Errors

This section provides tutorial examples showing limitations and errors of the 'openssl pkcs12 -export' command.

The following examples show you some limitations and errors of the "openssl pkcs12 -export" command.

1. "No certificate matches private key" Error - At least one certificate is required, and it must match the input key pair. So we can not convert a key pair from PEM to PKCS12 format with "openssl pkcs12" command.

herong$ openssl pkcs12 -export \
  -in key.pem -passin pass:TopSecret \
  -out error.p12 -passout pass:TopSecret  

No certificate matches private key

2. "Unable to load private key" Error - A private/public key pair is required from the input. So we can not convert a certificate from PEM to PKCS12 format with "openssl pkcs12" command.

herong$ openssl pkcs12 -export -in hy-cert.pem \
  -out error.p12 

unable to load private key
82991:error:0906D06C:PEM routines:PEM_read_bio:no start line:
  /.../crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY

3. "No certificate matches private key" Error - The input private key pair does not match any input certificates.

herong$ openssl pkcs12 -export -in root-cert.pem \
  -inkey key.pem -passin pass:TopSecret \
  -out error.p12 -passout pass:TopSecret 

No certificate matches private key

4. Adding unrelated certificates to PKCS12 bundle is allowed.

herong$ openssl pkcs12 -export -in hy-cert-2.pem \
  -inkey key.pem -passin pass:TopSecret \
  -certfile root-cert.pem \
  -out mix-cert-bundle.p12 -passout pass:TopSecret 

herong$ openssl pkcs12 \
  -in mix-cert-bundle.p12 -passin pass:TopSecret \
  -out mix-cert-bundle.pem -passout pass:TopSecret

herong$ more mix-cert-bundle.pem
  Bag Attributes
      localKeyID: A7ECD0EC2C377017B62F5BF01A1A66F6B23357CB 
  subject=/C=ZZ/CN=Herong Yang
  issuer=/C=ZZ/CN=ZZ Intermediate CA
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

  Bag Attributes: <No Attributes>
  subject=/C=ZZ/CN=ZZ Root CA
  issuer=/C=ZZ/CN=ZZ Root CA
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

  Bag Attributes
      localKeyID: A7ECD0EC2C377017B62F5BF01A1A66F6B23357CB 
  Key Attributes: <No Attributes>
  -----BEGIN EC PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
  DEK-Info: DES-EDE3-CBC,62E4D3AD9DB7FF03

  ...
  -----END EC PRIVATE KEY-----

5. If multiple input key pairs are provided, only the first one is taken into the PKCS12 bundle.

herong$ cat root-key.pem root-cert.pem hy-key.pem hy-cert.pem \
  > mix-input.pem

herong$ openssl pkcs12 -export \
  -in mix-input.pem -passin pass:TopSecret \
  -out mix-key-bundle.p12 -passout pass:TopSecret 

herong$ openssl pkcs12 \
  -in mix-key-bundle.p12 -passin pass:TopSecret \
  -out mix-key-bundle.pem -passout pass:TopSecret

herong$ more mix-key-bundle.pem
  Bag Attributes
      localKeyID: 3A84C0BCFBD028A9603FD1D8B2298224F50B8BC2
  subject=/C=ZZ/CN=ZZ Root CA
  issuer=/C=ZZ/CN=ZZ Root CA
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

  Bag Attributes: <No Attributes>
  subject=/C=ZZ/CN=Herong Yang
  issuer=/C=ZZ/CN=ZZ Root CA
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

  Bag Attributes
      localKeyID: 3A84C0BCFBD028A9603FD1D8B2298224F50B8BC2 
  Key Attributes: <No Attributes>
  -----BEGIN EC PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
  DEK-Info: DES-EDE3-CBC,783A892618782C58

  ...
  -----END EC PRIVATE KEY-----