创建一个.p12文件

使用 openssl,我创建了一个私钥,如下所示:

openssl genrsa -out myKey.pem

然后,为了生成 CA 要求的 csr,我执行了以下操作:

openssl req -new -key myKey.pem -out cert.csr

CA 使用我存储在名为 myCert.cer的文件中的证书进行响应

现在我想绑定必要的组件(私钥、公钥(?))和证书)转换为单个 .p12。为此,我运行以下命令:

openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in myCert.cer

但我收到了如下错误消息:

No certificate matches private key

我该怎么做呢?

217111 次浏览
小开
最佳答案

The openssl documentation says that file supplied as the -in argument must be in PEM format.

Turns out that, contrary to the CA's manual, the certificate returned by the CA which I stored in myCert.cer is not PEM format rather it is PKCS7.

In order to create my .p12, I had to first convert the certificate to PEM:

openssl pkcs7 -in myCert.cer -print_certs -out certs.pem

and then execute

openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in certs.pem
小开

I'm debugging an issue I'm having with SSL connecting to a database (MySQL RDS) using an ORM called, Prisma. The database connection string requires a PKCS12 (.p12) file (if interested, described here), which brought me here.

I know the question has been answered, but I found the following steps (in Github Issue#2676) to be helpful for creating a .p12 file and wanted to share. Good luck!

  1. Generate 2048-bit RSA private key:

    openssl genrsa -out key.pem 2048

  2. Generate a Certificate Signing Request:

    openssl req -new -sha256 -key key.pem -out csr.csr

  3. Generate a self-signed x509 certificate suitable for use on web servers.

    openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem

  4. Create SSL identity file in PKCS12 as mentioned here

    openssl pkcs12 -export -out client-identity.p12 -inkey key.pem -in certificate.pem


提交答案