Oh my, shock moment with my private key

So I had generated myself a private key using OpenSSL to create a CSR for an Authenticode code signing certificate from Symantec. Today the certificate was issued, but to collect it, one needs to get the key into the browser. Ooopsie daisy. Hadn’t thought of that before.

So I converted my key to PKCS12 format:

openssl pkcs12 -export -nocerts -inkey filename.key -out filename.p12

and tried to import this. But look what I got, an error dialog box showing “The PKCS #12 operation failed for unknown reasons.”:

Firefox error: The PKCS #12 operation failed for unknown reasons.

Trying to import it using Microsoft’s certutil and certmgr.msc gave me even more bizarre errors about the certificate being empty. But they also kind of hinted me into the right direction, when reading through all of Firefox bug #1049435 left me puzzled. In fact I had given the -nocerts option as I intended to only export my private key into PKCS12 format. Of course the issue in the Firefox bug was still a possibility, but no longer the only one.

So I did what all desperateexperienced people do: trythink! :mrgreen:

So I generated another CSR based on my private key, this time to self-sign the certificate.

openssl req -new -key filename.key -out filename.csr

… followed by the actual self-signing:

openssl x509 -req -days 365 -in filename.csr -signkey filename.key -out self-signed.crt

… and followed by the command that would combine private key and self-signed certificate into a single PKCS12 file:

openssl pkcs12 -export -inkey filename.key -in self-signed.crt -out self-signed.p12

I then imported my self-signed certificate, which included the private key, into Firefox and it happily did as asked. After the fact I collected my Symantec code signing certificate and then removed my self-signed certificate again from Firefox.

// Oliver

This entry was posted in EN, IT Security and tagged , . Bookmark the permalink.

2 Responses to Oh my, shock moment with my private key

  1. Lars Peter Thomsen says:

    Excellent – this solved the exact problem I had. I wonder why this isn’t mentioned more on CA websites.

  2. Oliver says:

    My guess is they don’t want you to do this because they fear support costs going through the roof or similar. But what they don’t get is that the whole private key generation in a browser business is a tad bit too opaque to be useful when you want to know exactly what’s going on and where the data goes.

    Glad it helped, though! :)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.