How do I make a base64 .p12 usable?

Question

I'm trying to automate a rather tedious process of creating VPN users and their certificates on our CheckPoint Firewall. When done through the GUI it just has me save the .p12 file on my drive, but when I create a certificate via the API it returns a base64 string that I'm not sure what to do with.

I've tried saving the string as a .p12 file directly (just pasting it in directly, and also trying pem format of begin/end certificate), and I've tried decoding it to binary via python, but no matter what I do I can never use it to connect to our VPN.

The API description of the returned data is:

Certificate file encoded in base64. File format: .P12.

I think its MIME base64 as the returned string is in chunks of 76 separated by newlines, but at this point I'm just googling things.

I would really appreciate some help!

EDIT:

So I've taken the b64decoded file I've created from the base64 string and ran it through openssl -info, and while it accepted my password it seems to be having some troubles. Also I didn't know what the local key was or if it was significant so I just redacted it.

tester@lab1:~$ openssl pkcs12 -info -in tester.p12 
Enter Import Password:
MAC: sha1, Iteration 100000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1
Bag Attributes
    friendlyName: nickster
    localKeyID: redacted 
    1.3.18.0.2.28.24: IBM_SDK_JAVA_8_PKCS12
Error outputting keys and certificates
140226334045504:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:583:
140226334045504:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:62:
140226334045504:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:93:

Answer 1

Since I stumbled upon same problem and although answer exists in the comments but it isn't that clear, I'd like to give a formal answer. Commands used are for a Linux system but other systems can do the trick as well, you just have to find equivalent commands.

Copy the pkcs12 blob to a file, say pkcs12blob.txt. my file looks like:

$ cat pkcs12blob.txt

MIIF1wIBAzCCBZEGCSqGSIb3DQEHAaCCBYIEggV+MIIFejCCAVcGCSqGSIb3DQEHAaCCAUgEggFEMIIBQDCCATwGCyqGSIb3DQEMCgECoIHIMIHFMCgGCiqGSIb3DQEMAQMwGgQUkdx2oIxyhIyOtnsr+AicfDUrg6UCAgQABIGYw0xT7jD1J0TF78Foq8zJbCu8o4IJJc2lS8NNBWoe9WwC2Y6qldE077u+SUxwediPfd4YzRW3CfzmHhvGVEQD4a0Qc6HwO0WcVhSGeFg71W9XLA/3FDzCh6RT6pOjH66OkImli8G4uN2vFDTrA7JOzkVzFyJ3/JtF65RZNUjF+UDmNbIXxAI50905BrF4JPsReEBnSmq8AvkxYjAjBgkqhkiG9w0BCRUxFgQUIBO5cuYa4i+BSqcrEy ...

Next (at least for ubuntu) run the command:

base64 --decode pkcs12blob.txt > pkblob_decoded.p12

Explanation: base64 is the Linux utility here. the > is used to direct the output of the command base64 --decode pkcs12blob.txt to file pkblob_decode.p12.

Now to verify that the decoding is successful you can run openssl commands. Like:

$ openssl pkcs12 -in pkblob_decoded.p12 -info

In my case the password I got was also the PEM pass phrase required to access private key and the certificate.

Enter Import Password:
MAC: sha1, Iteration 1024
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
Bag Attributes
    localKeyID: 20 13 B9 72 E6 1A E2 2F 81 4A A7 2B 13 2F CB 42 AA 8F A3 B8 
    friendlyName: device.skyelectric.com
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAib5okfrVyeJgICCAAw
DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIyorn+oup9Z8EgZCLE27JvEh5qbes
W5B4Zhgv8snSdm38cd8VaxTe+lAC52ycZWB/pwtp+l9JtEem64lauCXS5emHJOIV
iDkQZ3ORkirRVgLq+oprbsV8R2N5izCgLiTx5/x6tHnniPSi9QmPMvd40JaDUuj/
GZnlVpX15VqG563RkOvteQ9pnj8gPn5qOZGg9LFQ2J3LMoPNGT8=
-----END ENCRYPTED PRIVATE KEY-----
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1024
Certificate bag
Bag Attributes
    localKeyID: 20 13 B9 72 E6 1A E2 2F 81 4A A7 2B 13 2F CB 42 AA 8F A3 B8 
    friendlyName: device.skyelectric.com
subject=CN = device.skyelectric.com

issuer=O = Keyfactor Inc, CN = Keyfactor Demo Drive ECC 1 ...
...

Answer 2

If you're open to using PowerShell, the below should work:

$base64value = Get-Content -Path $base64FilePath
$byteArray = [System.Convert]::FromBase64String($base64value)
$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($byteArray, $certPw, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
# Export the certificate as a PFX file
$bytesPfx = $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pfx, $certPw)
[System.IO.File]::WriteAllBytes($pkcs12FilePath, $bytesPfx)

If you require a solution using OpenSSL, I'm unfortunately having the same issue and am also looking for help on Stack Overflow (you can see my post here).

If you've already found a solution, I would greatly appreciate if you could share!

Answer 3

base64 -i cent.p12 -o base64.txt