While messing with a Cisco ASA, I needed to pull a certificate out of the config. While trying to parse it with openssl, it wasn’t pleased with the PKCS12 format file it claims to have exported:
139708630054816:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:\ wrong tag:tasn_dec.c:1319: 139708630054816:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:\ nested asn1 error:tasn_dec.c:381:Type=PKCS12
Even windows wouldn’t have a bar of it, which is unsurprising. Its certificate handling’s for shit anyway. I found the answer is here on StackOverflow (of course): OpenSSL cannot convert PKCS12 exported from Cisco ASA 55xx .
Exporting the file as
certfile.pfx I then used the
enc command to convert it from the ASA’s Base64 format to OpenSSL’s binary format:
$ openssl -enc base64 -d -in certfile.pfx -out converted.pfx
-d flag is “decrypt” :)
To get the cert and key out to a single bundle file run the following command.
$ openssl pkcs12 -in converted.pfx -out bundle.pem -clcerts -nodes
This will put it in the usual pair-of-PEMs format, allowing you to use them in another system as you would with normal PEM files. :)