Gregory Sloop
2014-10-23 16:48:12 UTC
Ok, so I know this isn't strictly an OpenSSL question, so I apologize - but I'd guess someone here knows the answer, or can direct me to the correct resource. [I've done a lot of searches, but no real luck.]
I'm trying to import both a private key and certificate generated with OpenSSL into a Windows client. [Lets assume Win7 and 8]
It looks like p12 files are probably the best way to go. [Glad to stand corrected, but that's what it looks like to me.]
So, I've cranked out a p12 file [converted from seperate PEM files, also initially generated with OpenSSL] with the client-private-key and client-cert inside.
(Like so: openssl pkcs12 -keypbe aes-256-cbc -export -inkey infile.key -in infile.crt -out outfile.p12)
I initially tried encrypting it with "-keypbe aes-256-cbc" - however Windows barfs on it. [This should encrypt the p12 with AES-256, I think.]
I did it again, using "-descert" [which, AFAICT should encrypt with 3DES]
(Like so: openssl pkcs12 -descert -export -inkey infile.key -in infile.crt -out outfile.p12)
Windows likes this second one.
While 3DES is probably "good enough" - I'd rather use AES-256.
So the root of my question is:
1) What formats can Windows [7/8] accept? [Pointers somewhere would be good - google didn't help me find much.]
2) Is there some reasonable way to generate/convert the key/cert using OpenSSL, to use something better than 3DES that Windows will accept?
TIA for any light you can shed on the situation.
[I have similar questions about OSX - so if you have data about OSX that would be handy too. However, OSX isn't as critical to me at the moment, so I'm not as exercised about it. :) ]
-Greg
I'm trying to import both a private key and certificate generated with OpenSSL into a Windows client. [Lets assume Win7 and 8]
It looks like p12 files are probably the best way to go. [Glad to stand corrected, but that's what it looks like to me.]
So, I've cranked out a p12 file [converted from seperate PEM files, also initially generated with OpenSSL] with the client-private-key and client-cert inside.
(Like so: openssl pkcs12 -keypbe aes-256-cbc -export -inkey infile.key -in infile.crt -out outfile.p12)
I initially tried encrypting it with "-keypbe aes-256-cbc" - however Windows barfs on it. [This should encrypt the p12 with AES-256, I think.]
I did it again, using "-descert" [which, AFAICT should encrypt with 3DES]
(Like so: openssl pkcs12 -descert -export -inkey infile.key -in infile.crt -out outfile.p12)
Windows likes this second one.
While 3DES is probably "good enough" - I'd rather use AES-256.
So the root of my question is:
1) What formats can Windows [7/8] accept? [Pointers somewhere would be good - google didn't help me find much.]
2) Is there some reasonable way to generate/convert the key/cert using OpenSSL, to use something better than 3DES that Windows will accept?
TIA for any light you can shed on the situation.
[I have similar questions about OSX - so if you have data about OSX that would be handy too. However, OSX isn't as critical to me at the moment, so I'm not as exercised about it. :) ]
-Greg