Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Manage multiple RSA keys/certs in a PKCS#12 structure

I try to manage in a C library multiple RSA keys and certificates in a PKCS#12 structure. Managing a single key with the primitives PKCS12_create and PKCS12_parse works fine, but I can't find anything about managing multiple keys. I tried to use the safes and bags primitives but I only succeed to corrupt my PKCS12.

Does OpenSSL's PKCS#12 allow multiple keys and certificates in PKCS#12 structure? If so, then how do I manage multiple keys and certificates using the PKCS#12 API?

Thanks all

like image 530
Yann Delanoe Avatar asked Jun 16 '17 09:06

Yann Delanoe


People also ask

How to export the private key of a PKCS certificate?

In Request Handling, select Allow private key to be exported. Unlike SCEP, with PKCS the certificate private key is generated on the server where the certificate connector is installed and not on the device.

How do I get a stand alone private key from pkcs12?

Some software requires a stand alone private key instead of a keystore for authentication, signing, etc. To extract the private key from a keystore, run the following command: openssl pkcs12 -in keystore.p12 -nocerts -nodes Note that secret keys are not supported with openssl in a pkcs12 keystore.

How to extract a certificate from a pkcs12 keystore using OpenSSL?

To extract a certificate or certificate chain from a PKCS12 keystore using openssl, run the following command: Where -in example.p12 is the keystore and -nokeys means only extract the certificates and not the keys.

How do I SSH to a specific RSA key?

By default, the SSH command will use the default RSA key ~/.ssh/id_rsa. However, we can specify the key using the-i argument with the path of a specific private key. For example, if your private key is called ~/.ssh/aws_vpc1, we can use the following command to instruct SSH to use it.


1 Answers

PKCS#12 is a complicated data structure. All of the operations that PKCS12_parse use are public API, it just tries to simplify the simple case. The entire 245 lines of p12_kiss.c (one presumes Keep It Simple, Stupid) are PKCS12_parse and its (non-public) helper routines.

p12_crt.c is another 291 lines of "man, this file format is complicated", which is just PKCS12_create.

Managing multiple files is easier code, but if you want to take the complexity into your code you can simplify your file operations.

Don't forget to call PKCS12_SAFEBAG_create_pkcs8_encrypt on the private key bags. Your keys aren't encrypted unless you call it, and (IIRC) Apple's PFX reader won't load keys out of unencrypted bags (probably not an intentional decision, they just likely never experienced it).

like image 116
bartonjs Avatar answered Oct 12 '22 23:10

bartonjs