ACE20-MOD-K9 - Exporting SSL keys/certs in PKCS12

Unanswered Question

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Hello,


I have an ACE20-MOD-K9 module running version A2(1.6a). I have created the public/private keys and CSR from the ACE and also imported the certificate from a 3rd Party. What i need to do now is export the SSK keys/certs into PKCS12 format so that i can install on an external device (McAfee Intrusion Prevention System).


From the configuration notes and other threads here it is not clear whether this is possible? Don't have access to the module just yet otherwise i would try!

              

Thanks

UK

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ciscocsoc Mon, 04/12/2010 - 05:29

Hi,

You can't export directly into PKCS#12 format.

You have to export the certificate, key and the CA certificates to a convenient system, concatentate them together and then use something like OpenSSL to convert the format.

openssl pkcs12 -export -in certs.pem -out file.p12 -name "Some Friendly Name"

where certs.pem is the concatenation.

HTH

Cathy

sachinga.hcl Mon, 04/12/2010 - 05:47

Hi Usman,

You cannot export the certificate from ACE to PKCS12 format directly as said by Cathy.

By the time Cathy responded your query I have also prepared the answer for your query which is quite similar to Cathy's answer but bit more explanatory.

So I am adding my answer too even Cathy has answered already , but I believe I am not offending anybody.

You can export a certificate or key pair file from the ACE to a remote server or the terminal screen by using the crypto export command in Exec command mode to PEM format only.

You'll need to extract the component parts from PEM format outside of the ACE and then you can convert the PEM certificates to PKCS12 and then import them on some other device.

--------------------------------------------------------------------------------

Also  You should remember that you cannot export a certificate or key pair file that you marked as nonexportable when you imported the file to the ACE.

You will also need a chaingroup unless this is a self-signed certificate. Again any intermediate and root certificates will need to be in PEM format.


Use the following URL for exporting in PEM format.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/ssl/guide/certkeys.html#wp1012337


For converting PEM to PKCS12 you need a openssl .

OpenSSL is a very powerful cryptography utility, perhaps a little too powerful for the average user. With all the different command line options, it can be a daunting task figuring out how to do exactly what you want to do. Here are several common tasks you may find useful. Note that some commands may require version 0.9.8a and above.


Convert PEM Format Certificate To PKCS12 Format Certificate

Most browsers, including Internet Explorer, require that client certificates (which includes proxy certificates) be in the PKCS12 format rather than the X509 PEM format. Additionally, Java KeyStores require certificates to be in PKCS12 format. To convert a PEM formatted certificate to PKCS12 format, you need both the certificate and the private key for that certificate. Here's a typical openssl command and the resulting interactive session when converting PEM format to PKCS12 format:
> openssl pkcs12 -export -in cert.pem -inkey key.pem -out cred.p12
Enter Export Password:
Verifying - Enter Export Password:
>
First, an explanation of the command line options:

-export - generate a PKCS12 formatted file.
-in cert.pem - read in the X509 PEM formatted certificate from the file cert.pem.
-inkey key.pem - read in the X509 PEM formatted key from the file key.pem.
-out cred.p12 - write out the PKCS12 formatted 'credential' to the file cred.p12.

Next, some caveats of the interactive session:

PEM formatted certificates are fairly flexible. For example, both the certificate and the private key for that certificate can be contained in a single file. This is often the case with proxy certificates, which contain the proxy certificate, the proxy private key, and the user certificate (which was used to sign the proxy certificate). If you have a single file containing both the certificate and the key, you can specify the same filename for both the -in and -inkey command line options. OpenSSL will use the first certificate and first private key it finds in the file.
If the private key is encrypted, you will be prompted to enter the pass phrase for that key before entering the export password.
The export password does not have to be the same as the password you used for the PEM formatted private key. Whatever password you choose, you will need to enter that new password when importing the new PKCS12 credential into Windows XP.

Also the reverse process is here for


Converting PKCS12 Format Certificate To PEM Format Certificate
If you have a certificate which appears to be in binary format, then you probably have a PKCS12 formatted file. While the PKCS12 format is used by Java KeyStores and Windows XP "Internet Options", most OpenSSL commands work on PEM formatted certificates and private keys. Fortunately, it is relatively easy to convert one format to the other. Here's a typical openssl command and resulting interactive session when converting PKCS12 format to PEM format:
> openssl pkcs12 -in cred.p12 -out certkey.pem -nodes -clcerts
Enter Import Password:
MAC verified OK
>
First, an explanation of the command line options:

-in - read in the PKCS12 formatted credential from the file cred.p12.
-out - write out both the PEM formatted certificate and private key to the file certkey.pem.
-nodes - an optional parameter NOT to encrypt the private key. If you cannot guarantee secure access to your private key, omit this command line option.
-clcerts - output only client (user) certificates.

Next, some caveats of the interactive session:

You will notice that the command outputs both the certificate and private key to a single file. If you open the certkey.pem file with a text editor, you will see something like this:
-----BEGIN CERTIFICATE-----
MIID1zCCA0CgAwIBAgIJAPznkOa+zeeLMA0GCSqGSIb3DQEBBQUAMIGkMQswCQYD
VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxDzANBgNVBAcTBlVyYmFuYTENMAsG
A1UEChMETkNTQTEjMCEGA1UECxMaU2VjdXJpdHkgUmVzZWFyY2ggRGl2aXNpb24x
GjAYBgNVBAMTEXd3dy5uY3NhLnVpdWMuZWR1MSEwHwYJKoZIhvcNAQkBFhJyb290
QG5jYXMudWl1Yy5lZHUwHhcNMDYwMzAxMTkzMDMxWhcNMDcwMzAxMTkzMDMxWjCB
pDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMQ8wDQYDVQQHEwZVcmJh
bmExDTALBgNVBAoTBE5DU0ExIzAhBgNVBAsTGlNlY3VyaXR5IFJlc2VhcmNoIERp
dmlzaW9uMRowGAYDVQQDExF3d3cubmNzYS51aXVjLmVkdTEhMB8GCSqGSIb3DQEJ
ARYScm9vdEBuY2FzLnVpdWMuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCy8/9Afil4C+wvFdm2p7w6sQsZolXJQ1J07VDySCoguXCi6sCR/AyJEr9E6jP3
50FsgFoMn4d0qhkBb6JwczJtJRPphZIvXTi0rrOzZpe0yTF17NWcc5XXn9M8MbR2
jS97pjJ2AyclvOgGN/nYIdEpBfGKJ0cLQr50rBEAu+GScQIDAQABo4IBDTCCAQkw
HQYDVR0OBBYEFA9U2p42HR64xIK3uK9TqsuBYkorMIHZBgNVHSMEgdEwgc6AFA9U
2p42HR64xIK3uK9TqsuBYkoroYGqpIGnMIGkMQswCQYDVQQGEwJVUzERMA8GA1UE
CBMISWxsaW5vaXMxDzANBgNVBAcTBlVyYmFuYTENMAsGA1UEChMETkNTQTEjMCEG
A1UECxMaU2VjdXJpdHkgUmVzZWFyY2ggRGl2aXNpb24xGjAYBgNVBAMTEXd3dy5u
Y3NhLnVpdWMuZWR1MSEwHwYJKoZIhvcNAQkBFhJyb290QG5jYXMudWl1Yy5lZHWC
CQD855Dmvs3nizAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAAfq52g4
oMVFtzp52pMZevxov9HyJNpuWHOP7y7WHmuYzigDy5vOqJgPki3w3hkdprIKKIb5
7UPwfEZxrW4WwklWllcYV2/00ytZ9tf5GreGhM+AGKOZzv+fDQBtzLr4T4TOjpQO
HtceiR1JeNNVHL+Y53cXbP6qKh0TYn8xVQH3
-----END CERTIFICATE-----
Bag Attributes
    localKeyID: 9B 8A 85 AF 89 9D EB B0 73 3A F8 F1 D3 F7 88 09 22 47 7C E3
Key Attributes:
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCy8/9Afil4C+wvFdm2p7w6sQsZolXJQ1J07VDySCoguXCi6sCR
/AyJEr9E6jP350FsgFoMn4d0qhkBb6JwczJtJRPphZIvXTi0rrOzZpe0yTF17NWc
c5XXn9M8MbR2jS97pjJ2AyclvOgGN/nYIdEpBfGKJ0cLQr50rBEAu+GScQIDAQAB
AoGATW7y9i8hNobCLiWgTT8LXcIZ8X+i6zGsTlgZ/JxpTjuvl29I4GJV8kIgbWuC
DTUNxCtNy8SD0mF/7HUnrszJ9mKM52mrmKDLDNzvKY5J8Vl+u+7oNp7f8MViAIUK
DvmUEG2RsA7boELYza6jrHRwEgB2Sk03ArW4M5jrS+/xYKECQQDoCOg7u1HcIj0t
eugQmQABfR86N81dE48bILNQlhDjbHlyedmMOmDBMqFEE2ayfb3EtHUoaZ81YHcE
5aDDY8B1AkEAxW+Wy65LE2OnjIYjDSqHUrCpHxa6BrAS2OqYj0VSw1Fs5D4YHg/J
Ku41T5tOkeVsuwQcrGDhWR3+E4I2CTwKjQJARxjbl9nYxlvTZQkg7F0FLG+bTupk
SZ3Bnq1RZGLm/9hwCgyeBSKqHOiXk1VihVST/h7ROzXJ68AIF/8IWHZLNQJAfCns
PJWU81GlqhMlcf8/8TnWcg252cDbaX1Hijp/jQPlJjkCs80bpxr9fd3e8JPG6Gny
mlmm/oOFKMGnt/EBdQJBAJDVOMCPGolE06faCy6qpX6dYSVz1thc/Prvlss9CQAC
GjxDIISsFw71r2h7XdV70oFeJ/r3uhXxbHRim9tFqsI=
-----END RSA PRIVATE KEY-----
While OpenSSL can handle both the certificate and the private key in a single file, it is often preferable to keep the two separate. There are two ways to make separate files for the certificate and the key.

Using the certkey.pem file you generated above, simply save everything between (and including) each of the -----BEGIN----- and -----END----- lines to separate files, named something like cert.pem and key.pem for example.
Alternatively, you can rerun the command twice using the -nokeys and -nocerts command line options as follows:
> openssl pkcs12 -in cred.p12 -out cert.pem -nodes -clcerts -nokeys
Enter Import Password:
MAC verified OK
> openssl pkcs12 -in cred.p12 -out key.pem -nodes -nocerts
Enter Import Password:
MAC verified OK
> The "Import Password" is the password that was used to generate the PKCS12 file.
If you omit the -nodes command line option, you will also be prompted to "Enter PEM pass phrase". This is a (possibly different) password utilized to encrypt the PEM formatted private key.

Hope this will be some explanatory to you.

Best regards,

Sachin

Thank you for the replies.

Can't see why Cisco would not support this format?

Kathy - can i just clarify your comment "You have to export the certificate, key and the CA certificates to a convenient system, concatentate them together and then use something like OpenSSL to convert the format."

Im comfortable with using OpenSSL however i was expecting to export the two PEM files from the ACE i.e. the ones defined in my ssl-proxy below:

ssl-proxy service customera
key custkey.pem
cert custcert.PEM

Then referencing these file in the below command line

openssl pkcs12 -export -in custcert.pem -inkey custkey.pem -out cred.p12

Is this what you are referring to or have i missed something?

Thanks.

UK

ciscocsoc Mon, 04/12/2010 - 22:45

Hi UK,

You'll need to export custkey.pem, custcert.pem and any CA certificates (if you have a certificate chain). You then need to concatenate those files into one file (certs.pem in my example) and then process the whole thing into a PKCS#12 format file.

Kind Regards

Cathy

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Hi Cathy,

Thanks.

Is there a openssl tool to concatenate the files or can I simply copy the contents of custkey.pem, custcert.pem and any CA certificates into a text editor and save as certs.pem ?


Thanks

UK

ciscocsoc Tue, 04/13/2010 - 01:59

Cut-and-paste, cat (unix) will be fine. Just make sure that the markers for start/end cert/key are on their own lines.

Kind Regards

Cathy

Actions

This Discussion