openssl - How can I convert a pem private key to a format for windows that can be used in .NET

Question

I have a been given a private key that turned out to be in pkcs8 format, which I managed to turn into a pem file using the following command:

openssl pkcs8 -inform der -nocrypt -in private.key -out pkey.pem

I now need to convert this to pkcs12 so I can use it in .NET to create an X509 certificate (also I'd like to import it to windows cert manager).

I tried this command:

openssl pkcs12 -export -name myalias -in mycert.crt -inkey pkey.pem -out keystore.p12

however, I don't have the public key, I've tried using the pkey.pem file as the -in arg, but it tells me No certificate matches private key. If I try without the -in arg then nothing happens (and I mean nothing, there is a blank row until I press ctrl-c).

How can I generate the public key from the private key, or convert to pkcs12 without the public key?

The first part of this question, was from the answer here

I found an answer that gave me some hope, which says to run this command (-nocerts):

openssl pkcs12 -export -nocerts -inkey your.private.key.pem -out your.private.key.p12

But when I try to import the file into the windows key store, it says The specified file is empty when it is importing.

I've also managed to generate a certificate signing request from instructions here, which generated a certificate file, but the command still didn't accept that saying No certificate matches private key

Another answer suggests generating the public key, which I do, but when I use that as the -in arg it still says No certificate matches private key, which I don't understand as this public key was generated from the private key using this command: openssl rsa -in privkey.pem -pubout > key.pub

EDIT: I've posted an answer below, but as mentioned I've no way of verifying this information or telling if it works. If anyone has any further information, please let me know.

Answer 1

It would seem:

The following commands turn this into a format usable in windows:

Convert the private key from pkcs8/DER to a PEM file format

openssl pkcs8 -nocrypt -in dealerPrivate.key -inform der -outform pem -out private.pem

Convert the certificate from x509/DER to a PEM file format

openssl x509 -inform der -in dealerCertificate.x509 -out public.pem

Merge the two files into a pkcs12 file – you will be prompted for password to protect the p12 with

openssl pkcs12 -export -inkey private.pem -in public.pem -out mycert.p12

This gives me a pkcs12 certificate (I think) that I've added to the windows key store and can then access from .NET and attach it to my WCF request.

Unfortunately I can't verify that this works as the service response with the same data as my request, which is completely confusing:

Request:

POST http://[HOST].com/services/fsa/1.0 HTTP/1.1
Content-Type: text/xml; charset=utf-8
VsDebuggerCausalityData: uIDPo0ii5Jr5wONMi6i/jkMQdFkAAAAArRV2zOsUrEioQMkqYDWulG6ktjqzCoRLtP+/9VQSARUACQAA
SOAPAction: ""
Host: [HOST]
Content-Length: 299
Expect: 100-continue
Connection: Keep-Alive

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><list xmlns="http://[HOST].com/services/fsa/1.0"><String_1 xmlns="">[MY_STRING]</String_1></list></s:Body></s:Envelope>

Response:

HTTP/1.1 200 OK
Date: Thu, 31 Oct 2013 12:19:38 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0a mod_jk/1.2.31
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
VsDebuggerCausalityData: uIDPo0ii5Jr5wONMi6i/jkMQdFkAAAAArRV2zOsUrEioQMkqYDWulG6ktjqzCoRLtP+/9VQSARUACQAA
SOAPAction: ""
host: [HOST]
Expect: 100-continue
connection: Keep-Alive, Keep-Alive
Content-Length: 299
Keep-Alive: timeout=2, max=100
Content-Type: text/xml;charset=utf-8

<s:Envelope xmlns:s='http://schemas.xmlsoap.org/soap/envelope/'><s:Body xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'><list xmlns='http://[HOST].com/services/fsa/1.0'><String_1 xmlns=''>[MY_STRING]</String_1></list></s:Body></s:Envelope>