I am trying to use openSSL to set up an https connection for my application. I’m running a Neo4j 1.2.2 database, with a Trinidad 1.3.5 web server, using the Rails 3.1 and ruby 1.9.
I have a Thawte trial certificate, ca_cert.crt, their intermediate and root certificates, ca_intermediate.crt and ca_root.crt respectively, and my own private key, ca_private.pem. What openssl command do I need to run to create a keystore, which I can specify in my app’s trinidad.yaml config file?
So far the “looks-closest-to-right” thing I’ve tried is:
pkcs12 –export –in ca_cert.crt inkey ca_private.pem –out keystore.p12 –name tomcat
and it gives me the error:
unable to load certificates
6380:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\as
n1\tasn_dec.c:1319:
6380:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\
crypto\asn1\tasn_dec.c:381:Type=X509_CINF
6380:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 e
rror:.\crypto\asn1\tasn_dec.c:751:Field=cert_info, Type=X509
6380:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:.\crypto\pem\pe
m_info.c:258:
error in pkcs12
It looks to me like openssl doesn’t like the format I have the files in, though I have tried nearly every combination of the .pem, .crt, .cer, and .key extensions I can think of to no avail. I’m new to SSL entirely, so I hope I’m just doing something stupid and its an easy fix…
Here is the example I’ve been trying to follow: https://github.com/trinidad/trinidad/wiki/ssl-end-to-end-example
From this answer it seems that Thawte certificates are formatted as PKCS#7, while
openssl pkcs12 -exportcommand expects PEM. Certificate in PKCS#7 can be converted using modified version of command from previously linked answer.Then executing command, that you provided, creates PKCS#12 keystore.