TechQA.

openssl: exporting PFX to PEM and back

277 views Asked by At

I'm having trouble getting a working .pfx file from an exported .pem. I have read the various questions regarding the conversion, but they all deal with it in either direction and never both.

The german tax website "Elster" uses .pfx certificate files to sign in. On a form on the website, you provide the file and the associated password. I would like to be able to backup the certificate as plain text, rather than a binary file, so I thought of pkcs12. I tried exporting to a .pem file, which seems to work alright, but when I use the exported file to test my backup and write a .pfx back from it, the website doesn't accept my login ("invalid password for certificate file").

I have written a simple bash script that illustrates what I have in mind.
(It seems I have to use the -legacy parameter, otherwise my openSSL (3.1.1) will complain about unsupported formats.)

#!/bin/bash

pfxfile="./original.pfx"
pemfile="./export.pem"
pass="abc123"

# convert to PEM
openssl pkcs12 -in "$pfxfile" -legacy -passin pass:"$pass" -nodes -out "$pemfile"

# convert back to PFX
openssl pkcs12 -in "$pemfile" -legacy -export -passout pass:"$pass" -out "./restored.pfx"

I have tried exporting to seperate files for key, client cert and CA certs, which would be my preferred setup, but it didn't work either. I know it's kind of hard to reproduce without the actual .pfx file, but I can't provide it for obvious reasons. I'm hoping somebody will see a simple error and that there is an easy fix. I was suspecting it has to do with the legacy format, but was not able to investigate it further.

Any help is appreciated!

Edit:

When I display info on the original and new .pfx files, the result differs quite a bit. Is there a way to generate the new file to more closely match the original?

original.pfx

MAC: sha1, Iteration 6000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 6000
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 6000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 6000
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag

restored.pfx

MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
bash openssl pem pfx pkcs#12
Original Q&A
0

There are 0 answers

Related Questions in BASH

Related Questions in OPENSSL

Related Questions in PEM

Related Questions in PFX

Related Questions in PKCS#12

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions