While messing with a Cisco ASA, I needed to pull a certificate out of the config. While trying to parse it with openssl, it wasn’t pleased with the PKCS12 format file it claims to have exported:
139708630054816:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:\
wrong tag:tasn_dec.c:1319:
139708630054816:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:\
nested asn1 error:tasn_dec.c:381:Type=PKCS12
Even windows wouldn’t have a bar of it, which is unsurprising. Its certificate handling’s for shit anyway. I found the answer is here on StackOverflow (of course): OpenSSL cannot convert PKCS12 exported from Cisco ASA 55xx .
Exporting the file as certfile.pfx I then used the enc command to convert it from the ASA’s Base64 format to OpenSSL’s binary format:
$ openssl enc -base64 -d -in certfile.pfx -out converted.pfx
The -d flag is “decrypt” :)
To get the cert and key out to a single bundle file run the following command.
$ openssl pkcs12 -in converted.pfx -out bundle.pem -clcerts -nodes
This will put it in the usual pair-of-PEMs format, allowing you to use them in another system as you would with normal PEM files. :)