|
Create PKCS#12 bundle with chain |
|
Subject: Create PKCS#12 bundle with chain
Author: authen
In response to: Create PKCS#12 bundle
Posted on: 09/12/2015 01:24:00 AM
C:\OpenSSL64>openssl pkcs12 -export -inkey myCA\users\joe-private-key.pem
-certfile myCA\interCA\certnew.pem
-in myCA\users\joe_email.pem -out myCA\users\joe_email.p12
Loading 'screen' into random state - done
Enter pass phrase for myCA\users\joe-private-key.pem:passphrase
Enter Export Password:passphrase
Verifying - Enter Export Password:passphrase
View the PKCS#12 store
C:\OpenSSL64>openssl pkcs12 -in myCA\users\joe_email.p12 -nodes -info
Enter Import Password:passphrase
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 1C 06 3F 2A 60 8A EE E7 B1 58 9C F6 BA 85 CF 9F 6B BD 08 1F
subject=/DC=DC=org, DC=simple, O=Simple Inc, CN=Joe Smith
issuer=/DC=org/DC=simple/O=Simple Inc/OU=Simple Signing CA/CN=Simple Signing CA
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIBATANBgkqhkiG9w0BAQUFADB6MRMwEQYKCZImiZPyLGQB
GRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApTaW1wbGUg
SW5jMRowGAYDVQQLDBFTaW1wbGUgU2lnbmluZyBDQTEaMBgGA1UEAwwRU2ltcGxl
IFNpZ25pbmcgQ0EwHhcNMTUwOTEwMTg1MjUzWhcNMTcwOTA5MTg1MjUzWjA/MT0w
OwYKCZImiZPyLGQBGRYtREM9b3JnLCBEQz1zaW1wbGUsIE89U2ltcGxlIEluYywg
Q049Sm9lIFNtaXRoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwyJb
wSIFLUwzketwXMfCqDoESC567N4ZXCpBzKXNuB0+kjO0KqP0hUHReaens3QLTPiZ
c4uy8fkGylfIuiSlwl40rEL+F3M7lLlebxUmtmAzG3ePJUE81quNY6zv8fhBUYj4
yKDUiKv5p6pEY73dATJPzduJSxvzZwYdKtlJUXYqFasqPIZvTzGNePWdiQwyucMK
wKllW9FoK1TTDNvoD8dAieLVcxcla0kov7I1GrOAS4VoZzVOSZp9taeb+I0SWOc3
u7o21VnJTQ729HneJN8Q9RkMYJ0KFlsOJ/LCf9s5cnrf7ffkisCyRw3FlIN17a4y
M5x2Y7y76ncctVEFaQIDAQABo4GYMIGVMA4GA1UdDwEB/wQEAwIFoDAJBgNVHRME
AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQUjGLn
zhIZZLKtOvl0YKq4PnpCRKowHwYDVR0jBBgwFoAUpuK6lHc7YuhWjM2jr1/J/Sla
OrUwGQYDVR0RBBIwEIEOam9lQHNpbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADggEB
AMtLuHqmeD3ygrnVP7N8DTZGyupPRWaiSiV/cAP76kHVhqPLIINR9G5DMTu0V36T
RTW354LN13IHDg/GxmwJQHu5fDQQOwUxB1i3lFGQESuMVe9+ojZez4fdGnAooRAh
TZA3ITQyYoeuCc6HXN1f6mDehWk0qJLy7uvAzUzzQbAxvASKcNIbk6KmHxqdruyZ
WkXbDlJY7A1/VlMLSPh35DAxLDzCf1M6uKbxVtXpyOA4+QGKym7KYBwthCUmQc1i
NZnDlTRBEUD7j2e7yn3Hp2Ars4Y+m5k2KrAVU2U8rOKeAG5ftFadAnbAQFNICrKu
J1GZH0/8qaYUlyfNStYNO20=
-----END CERTIFICATE-----
Certificate bag
Bag Attributes: <No Attributes>
subject=/DC=org/DC=simple/O=Simple Inc/OU=Simple Signing CA/CN=Simple Signing CA
issuer=/DC=org/DC=simple/O=Simple Inc/OU=Simple Root CA/CN=Simple Root CA
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIBATANBgkqhkiG9w0BAQUFADB0MRMwEQYKCZImiZPyLGQB
GRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApTaW1wbGUg
SW5jMRcwFQYDVQQLDA5TaW1wbGUgUm9vdCBDQTEXMBUGA1UEAwwOU2ltcGxlIFJv
b3QgQ0EwHhcNMTUwOTEwMTc1NzAxWhcNMjUwOTA5MTc1NzAxWjB6MRMwEQYKCZIm
iZPyLGQBGRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApT
aW1wbGUgSW5jMRowGAYDVQQLDBFTaW1wbGUgU2lnbmluZyBDQTEaMBgGA1UEAwwR
U2ltcGxlIFNpZ25pbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDbrYUlzSJ6nr8M6fi/Fd4BmJDBkbCsHoIfLEFTCXEvACYAvJNeyDN293CnCG7K
6DNHXFMiqIOWsyQs0PdMHdQ8MO2pPVVnUdxCxq0QdpoOuP6srGNfSOLAxhXwPLz3
OwYrb/R1Wqp9wG2TBm2yi/MGg/8hkZ/sv4G0rYBUfF7RQbXEWD/cjUazhdns1yuA
0RDOyWKh/ouZuT+Q0U4RlfpdAp4D9deDdjJV3KnIGEf5YxNZi556CwuJgDo7pYdT
0cYR/eXla+lqTb+6hqwBe3gcyvot3SV+FRGP/QNCSCcqGYpEPsOXSZ5TJh8aMmHM
toO7LZruiKKxaKmEaH/sqKEJAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNV
HRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSm4rqUdzti6FaMzaOvX8n9KVo6tTAf
BgNVHSMEGDAWgBQjUTKlbRs+kH06igkeCD4+9rYcuDANBgkqhkiG9w0BAQUFAAOC
AQEAueyfcCxFck5nWZv4E2ojqm+YzLga6torOjbGNZsb4J0sQtg2VCghGt6qKX1w
yAz2e4MBxGwxTGuZfHW0T40MqSc3SjJHchJjfrDvPTy+//pkOFCAXV/DDNIdNioF
3DHfAfQ+H4N+4LEW5UEqAO1n7aPxJn3Q4LMkN95uHokcyx74NhdYGP/tiLwpXpjW
XU0nhzOEZNVPP32O2PB6/CFFdZshA7JInD9RFAASthvyr35ghojq/X6Dz9Elq14s
jhQOZ1qvp5LaxNvddDHw4CBJl/V5QEm8u80V54DnLdrmfYyusieR40NOzEASZabD
E9ZjsFzlf40NB3q1s9h7A6yECw==
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: 1C 06 3F 2A 60 8A EE E7 B1 58 9C F6 BA 85 CF 9F 6B BD 08 1F
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwyJbwSIFLUwzketwXMfCqDoESC567N4ZXCpBzKXNuB0+kjO0
KqP0hUHReaens3QLTPiZc4uy8fkGylfIuiSlwl40rEL+F3M7lLlebxUmtmAzG3eP
JUE81quNY6zv8fhBUYj4yKDUiKv5p6pEY73dATJPzduJSxvzZwYdKtlJUXYqFasq
PIZvTzGNePWdiQwyucMKwKllW9FoK1TTDNvoD8dAieLVcxcla0kov7I1GrOAS4Vo
ZzVOSZp9taeb+I0SWOc3u7o21VnJTQ729HneJN8Q9RkMYJ0KFlsOJ/LCf9s5cnrf
7ffkisCyRw3FlIN17a4yM5x2Y7y76ncctVEFaQIDAQABAoIBAQCOdPXxcInBASGh
BPY59egpcnmPzMcXSCnRfFQfOGiQYmE80RxWCO5Jnrx0CS7INw7M+azlivZv6vLH
JAE5y+lrleT0YdAohIrZz96eUB28BU0qX0WU2CS3P/Tv8OAXkbr18H5X0fp3cL3J
ZueYvZKr/fP/AKghul0fOHpwvsLlAY2CBT1XFj55yKs2yb6tYiy65embZB8Lomfm
aR8F3BPVCIXqR0Ws6tzoCsvmwKAaOxhbqYF6LvykbsgLSHu9Z0fM+FGS4lyQRGvF
cMPLWzOWiOUXnvFY295CaDvLbGn0EsHHtOBJqM9udAdUpQjZwjTWfb76rlU8XRZZ
ZdzkKEMlAoGBAOssRb69oKbMiq51naWVpOEYh8IfbFuolWY14e8yOvR+Xyn9gdEc
F87gIOw/DDEotgPJF+VwbWE+++B5gey+Z1xzhOb639LOEPyYt1uUe2r0JZebrLRr
cm1PBV9Laoxkq3TDx7/Krhul3SSgslMChP4NmnxwoMnQo3vMQFuYx6BHAoGBANRq
WOXFfuuKaNHzJGb4TjfyTPQ+ZIdGYm7RZXEP5hwXymflDxrM+btHsWItuM66lsG/
aNAgdxAmYxHucrpRzr72xzr8Z96EQjk4kEufm32evb7tB8SwQpfdhWNVhNwfUvye
3nynA6+W8wzCvYFrWgI46ljmRikRo4yblpkp6DTPAoGAdZLrx6HMeLfYOcKJr2gy
R2tZLB9DsEuHbdNQgqLNQMERWM/qIB54dLAvJY2bzdP5s8jMzqO3u5+ek6qL302O
JXWHo2cXka/+ZBsByKJiVaV8SeDFpmn1ilqwZ+UvfsMxyS28ZtGw3Be/iPliTgf7
b3xjmQVCDcPmiBUks+adHy8CgYAsTnp4gvd0Xgx7LoI7UDPQi6Ptlk4VwWKqxtan
/K780SGRBkBeUL8Oh2fCmNLhnB3yD+Dm+L6dCcTEar5XitTbFFJ+RUPNMD03/kpq
28HtM///MEBlraW245E/eVZfX2fkfQimXsFXq90gyWRhTrsiyUSG+a1qFV1UI9Do
FV6wFQKBgQCHVQesGGECYUAcxQfRL4OgvjRHHdCzECcuCBqQiGzc99S4QM3/npQF
y9N3cVExO7/5IdnH1m4orRS6ysBpI4c36Uu3IkdRJNOLC6FpdOW8eQtlzHhn2OQg
DvtGGAsIrK2xcSAhD8Mde8P7elmc6lGnEXLL8ShKmYKtj3ViUY42xQ==
-----END RSA PRIVATE KEY-----
As it can be seen that this PKCS#12 store has two public keys (user + singing CA) and user's private key. Note: As this PKCS#12 store has the PKI chain inside, the peer only needs the Root CA to be loaded into its trust store to verify the user.
>
> On 09/12/2015 01:13:19 AM authen wrote:
PKCS#12 store is used to bundle a certificate and its private key, which is required for certificate-based authentication where client has to provide his/her certificate (with only public key inside) and to sign a proof of possession of the certificate via his/her private key.
Note: From the mutual authentication traffic, the proof of possession can be identified by *** CertificateVerify + encrypted token (which can be only decrypted by the corresponding public key inside the passed certificate)
C:\OpenSSL64>openssl pkcs12 -export -inkey myCA\users\joe-private-key.pem
-in myCA\users\joe_email.pem -out myCA\users\joe_email.p12
Loading 'screen' into random state - done
Enter pass phrase for myCA\users\joe-private-key.pem:passphrase
Enter Export Password:passphrase
Verifying - Enter Export Password:passphrase
View the PKCS#12 store
C:\OpenSSL64>openssl pkcs12 -in myCA\users\joe_email.p12 -nodes -info
Enter Import Password:passphrase
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 1C 06 3F 2A 60 8A EE E7 B1 58 9C F6 BA 85 CF 9F 6B BD 08 1F
subject=/DC=DC=org, DC=simple, O=Simple Inc, CN=Joe Smith
issuer=/DC=org/DC=simple/O=Simple Inc/OU=Simple Signing CA/CN=Simple Signing CA
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIBATANBgkqhkiG9w0BAQUFADB6MRMwEQYKCZImiZPyLGQB
GRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApTaW1wbGUg
SW5jMRowGAYDVQQLDBFTaW1wbGUgU2lnbmluZyBDQTEaMBgGA1UEAwwRU2ltcGxl
IFNpZ25pbmcgQ0EwHhcNMTUwOTEwMTg1MjUzWhcNMTcwOTA5MTg1MjUzWjA/MT0w
OwYKCZImiZPyLGQBGRYtREM9b3JnLCBEQz1zaW1wbGUsIE89U2ltcGxlIEluYywg
Q049Sm9lIFNtaXRoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwyJb
wSIFLUwzketwXMfCqDoESC567N4ZXCpBzKXNuB0+kjO0KqP0hUHReaens3QLTPiZ
c4uy8fkGylfIuiSlwl40rEL+F3M7lLlebxUmtmAzG3ePJUE81quNY6zv8fhBUYj4
yKDUiKv5p6pEY73dATJPzduJSxvzZwYdKtlJUXYqFasqPIZvTzGNePWdiQwyucMK
wKllW9FoK1TTDNvoD8dAieLVcxcla0kov7I1GrOAS4VoZzVOSZp9taeb+I0SWOc3
u7o21VnJTQ729HneJN8Q9RkMYJ0KFlsOJ/LCf9s5cnrf7ffkisCyRw3FlIN17a4y
M5x2Y7y76ncctVEFaQIDAQABo4GYMIGVMA4GA1UdDwEB/wQEAwIFoDAJBgNVHRME
AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQUjGLn
zhIZZLKtOvl0YKq4PnpCRKowHwYDVR0jBBgwFoAUpuK6lHc7YuhWjM2jr1/J/Sla
OrUwGQYDVR0RBBIwEIEOam9lQHNpbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADggEB
AMtLuHqmeD3ygrnVP7N8DTZGyupPRWaiSiV/cAP76kHVhqPLIINR9G5DMTu0V36T
RTW354LN13IHDg/GxmwJQHu5fDQQOwUxB1i3lFGQESuMVe9+ojZez4fdGnAooRAh
TZA3ITQyYoeuCc6HXN1f6mDehWk0qJLy7uvAzUzzQbAxvASKcNIbk6KmHxqdruyZ
WkXbDlJY7A1/VlMLSPh35DAxLDzCf1M6uKbxVtXpyOA4+QGKym7KYBwthCUmQc1i
NZnDlTRBEUD7j2e7yn3Hp2Ars4Y+m5k2KrAVU2U8rOKeAG5ftFadAnbAQFNICrKu
J1GZH0/8qaYUlyfNStYNO20=
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: 1C 06 3F 2A 60 8A EE E7 B1 58 9C F6 BA 85 CF 9F 6B BD 08 1F
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwyJbwSIFLUwzketwXMfCqDoESC567N4ZXCpBzKXNuB0+kjO0
KqP0hUHReaens3QLTPiZc4uy8fkGylfIuiSlwl40rEL+F3M7lLlebxUmtmAzG3eP
JUE81quNY6zv8fhBUYj4yKDUiKv5p6pEY73dATJPzduJSxvzZwYdKtlJUXYqFasq
PIZvTzGNePWdiQwyucMKwKllW9FoK1TTDNvoD8dAieLVcxcla0kov7I1GrOAS4Vo
ZzVOSZp9taeb+I0SWOc3u7o21VnJTQ729HneJN8Q9RkMYJ0KFlsOJ/LCf9s5cnrf
7ffkisCyRw3FlIN17a4yM5x2Y7y76ncctVEFaQIDAQABAoIBAQCOdPXxcInBASGh
BPY59egpcnmPzMcXSCnRfFQfOGiQYmE80RxWCO5Jnrx0CS7INw7M+azlivZv6vLH
JAE5y+lrleT0YdAohIrZz96eUB28BU0qX0WU2CS3P/Tv8OAXkbr18H5X0fp3cL3J
ZueYvZKr/fP/AKghul0fOHpwvsLlAY2CBT1XFj55yKs2yb6tYiy65embZB8Lomfm
aR8F3BPVCIXqR0Ws6tzoCsvmwKAaOxhbqYF6LvykbsgLSHu9Z0fM+FGS4lyQRGvF
cMPLWzOWiOUXnvFY295CaDvLbGn0EsHHtOBJqM9udAdUpQjZwjTWfb76rlU8XRZZ
ZdzkKEMlAoGBAOssRb69oKbMiq51naWVpOEYh8IfbFuolWY14e8yOvR+Xyn9gdEc
F87gIOw/DDEotgPJF+VwbWE+++B5gey+Z1xzhOb639LOEPyYt1uUe2r0JZebrLRr
cm1PBV9Laoxkq3TDx7/Krhul3SSgslMChP4NmnxwoMnQo3vMQFuYx6BHAoGBANRq
WOXFfuuKaNHzJGb4TjfyTPQ+ZIdGYm7RZXEP5hwXymflDxrM+btHsWItuM66lsG/
aNAgdxAmYxHucrpRzr72xzr8Z96EQjk4kEufm32evb7tB8SwQpfdhWNVhNwfUvye
3nynA6+W8wzCvYFrWgI46ljmRikRo4yblpkp6DTPAoGAdZLrx6HMeLfYOcKJr2gy
R2tZLB9DsEuHbdNQgqLNQMERWM/qIB54dLAvJY2bzdP5s8jMzqO3u5+ek6qL302O
JXWHo2cXka/+ZBsByKJiVaV8SeDFpmn1ilqwZ+UvfsMxyS28ZtGw3Be/iPliTgf7
b3xjmQVCDcPmiBUks+adHy8CgYAsTnp4gvd0Xgx7LoI7UDPQi6Ptlk4VwWKqxtan
/K780SGRBkBeUL8Oh2fCmNLhnB3yD+Dm+L6dCcTEar5XitTbFFJ+RUPNMD03/kpq
28HtM///MEBlraW245E/eVZfX2fkfQimXsFXq90gyWRhTrsiyUSG+a1qFV1UI9Do
FV6wFQKBgQCHVQesGGECYUAcxQfRL4OgvjRHHdCzECcuCBqQiGzc99S4QM3/npQF
y9N3cVExO7/5IdnH1m4orRS6ysBpI4c36Uu3IkdRJNOLC6FpdOW8eQtlzHhn2OQg
DvtGGAsIrK2xcSAhD8Mde8P7elmc6lGnEXLL8ShKmYKtj3ViUY42xQ==
-----END RSA PRIVATE KEY-----
It shows public key and private key as well.
Note: Keep in mind that this PKCS#12 store does not have the intermediate singing CA inside. In order for the PKI validation to work, the peer has to have the Singing CA and Root CA both loaded into its trust store.
References:
|
|
|
|