8

I have exported an existing certificate+key from an ASA 5510:

asa5510(config)# crypto ca export MYTRUSTSTORE pkcs12 MYPASSWORD

Saved the output in a file (vpn-cisco.pkcs12), and now I am trying to pull the cert and the key into separate files like so:

openssl pkcs12 -in cisco-vpn.pkcs12 -nocerts -out privateKey.pem

The error I receive:

139708630054816:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
139708630054816:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=PKCS12

Same error if I run openssl pkcs12 -info ... or any other command.

I have tried to export the file again and compare using ASDM instead of the CLI, but the file is exactly the same.

Googling for the error only says the encoding of the file might be somehow off, but no specific details.

EDIT (7 years later): I came across the same issue again, having to maintain an ASA and a Zimbra setup using the same certs, and came across my own question as the working answer.

Extra thanks for all the additional input like needing to sanitize the p12 file for empty lines etc.

EDIT 2: PKCS12 export from the ASA encrypts the private key, ZCS isn't happy with that, so the password needs to be dropped, so first extract the key:

openssl pkcs12 -in cisco-vpn.pkcs12.bin -nocerts -out privateKey.pem

And then drop the password:

openssl rsa -in privateKey.pem -out key_no_pass.txt

dyasny
  • 18,802
  • 6
  • 49
  • 64
  • 1
    Try first `openssl base64 -in cisco-vpn.pkcs12 -d -out cisco-vpn.pkcs12.bin` and after `openssl pkcs12 -in cisco-vpn.pkcs12.bin -nocerts -out privateKey.pem` – Federico Sierra Mar 20 '15 at 22:57
  • openssl base64 is the key here. openssl expects a binary form PKCS#12 file. – Jari Turkia Mar 09 '16 at 19:32
  • Re edit 2: you don't need two steps for unencrypted, `pkcs12` (import) `-nodes` writes the privatekey unencrypted. However since 2020 it writes PKCS8 format and not 'legacy' PKCS1 format as `rsa` does; I don't know if that matters to whatever you mean by ZCS. – dave_thompson_085 Apr 26 '22 at 01:51
  • ZCS == Zimbra Collab Suite. So I add the `-nodes` param to the original command, for extraction? Like this: `openssl pkcs12 -in cisco-vpn.pkcs12.bin -nocerts -nodes -out privateKey.pem` – dyasny Apr 27 '22 at 13:25

4 Answers4

11

This is strange. I have the same problem and found this question to have no answer. I then did more searching and found a yaleman.org post that says they found the answer and linked to this very question. Yet there was no answer here. Retroactively fixing that, full props to yaleman.

Long and short: You need to convert the pfx from Base64 to openssl's binary format.

$ openssl enc -base64 -d -in certfile.pfx -out converted.pfx

Then you can convert it to a PEM and get the key or cert separately.

$ openssl pkcs12 -in converted.pfx -out bundle.pem -clcerts -nodes
8None1
  • 255
  • 3
  • 9
  • 5
    If this doesn't work for you, it turns out that `openssl base64` discards any lines over 1024 characters unless you pass the `-A` flag. – Gavin S. Yancey Apr 30 '20 at 00:37
  • I had the same problem with a .pfx file downloaded from an Azure keyvault. @GavinS.Yancey your trick worked - thanks! – Marcus May 17 '22 at 16:52
2

If you have trouble with the decode, check your file and delete any blank lines in it. Our ASA was saving them with leading blanks and openssl doesn't like that.

Seth Randall
  • 21
  • 1
0

Encountered the same issue, turned out that my cert was double base64 encoded...

Felix Wang
  • 1
0

If you're doing this on Windows you could try using the openSSL exe located at "C:\Program Files\Git\usr\bin\openssl.exe". That worked for me, after I originally got this error when using openssl from a Git bash session. Using the openSSL .exe I got prompted for the .pfx password, which hadn't happened previously. (I also regenerated the original .pfx at one point, in case there was some corruption issue).

Chris Halcrow
  • 233
  • 2
  • 12