Re: Problem (again!) with openssl!

To: paul%whooppee.com@localhost, Dave Huang <khym%azeotrope.org@localhost>
Subject: Re: Problem (again!) with openssl!
From: Jan Danielsson <jan.m.danielsson%gmail.com@localhost>
Date: Mon, 28 Jul 2014 19:12:00 +0200

On 28/07/14 18:59, Paul Goyette wrote:
>>> openssl verify command says that my .pem files are good, so I don't
>>> know where to look next.
>>
>> Key and certificate files can be in either a text format (PEM) or
>> binary (DER)--perhaps your /etc/openssl/certs/imapd.pem is actually in
>> DER format? It should contain a "-----BEGIN RSA PRIVATE KEY-----" line.
>>
>> If it's the wrong format, openssl can convert it... I think something
>> like:
>>
>> openssl rsa -inform der -outform pem -in imapd.pem -out imapd2.pem
>>
>> or something to that effect.
> 
> My imapd.pem appears to be a plain text file, starting with
> 
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 3735943887 (0xdeadfacf)
>     Signature Algorithm: sha1WithRSAEncryption
> ...

   That data is ignored by the PEM reader routines; it scans for the
"--..BEGIN BLAH..--" section(s) and parses the base64 data inside the
section.  Does the file contain any "BEGIN PRIVATE KEY" or similar
section?  If it doesn't, it looks like you're missing the private key.

> There is an associated imapd.crt which appears to be binary:
> 
> # hexdump -C imapd.crt
> 00000000  30 82 04 6a 30 82 03 52  a0 03 02 01 02 02 05 00 
> |0..j0..R........|
> 00000010  de ad fa cf 30 0d 06 09  2a 86 48 86 f7 0d 01 01 
> |....0...*.H.....|
> 00000020  05 05 00 30 81 9f 31 0b  30 09 06 03 55 04 06 13 
> |...0..1.0...U...|
> ...

   The would presumably be the exact same thing as the imapd.pem above,
but in BER/DER format.  NotAlwaysTrueButTrueEnoughThatItsGoodToMemorize:
PEM=Unix, DER=Windows.

   openssl defaults to PEM.  If you want to inspect the contents of a
DER file you add the option "-inform der", as Dave Huang suggested.

   The equivalent of:

   $ openssl x509 -noout -text -in /etc/openssl/certs/imapd.pem

   ...for DER is:

   $ openssl x509 -inform der -noout -text -in /etc/openssl/certs/imapd.crt

   ... but this has nothing to do with the error you posted.  Just
trying to demystify openssl and x509 a little.

> 
> 
> 
> -------------------------------------------------------------------------
> | Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:       |
> | Customer Service | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com    |
> | Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at juniper.net |
> | Kernel Developer |                          | pgoyette at netbsd.org  |
> -------------------------------------------------------------------------


-- 
Kind Regards,
Jan

References:
- Problem (again!) with openssl!
  - From: Paul Goyette
- Re: Problem (again!) with openssl!
  - From: Dave Huang
- Re: Problem (again!) with openssl!
  - From: Paul Goyette

Prev by Date: Re: Problem (again!) with openssl!
Next by Date: Re: Problem (again!) with openssl!
Previous by Thread: Re: Problem (again!) with openssl!
Next by Thread: Re: Problem (again!) with openssl!
Indexes:

Home | Main Index | Thread Index | Old Index