2

I'm trying to export a private key from a pfx-file using OpenSSL:

openssl pkcs12 -in C:\tmp\pfxfile.pfx -nocerts -nodes -out C:\tmp\prvkey.pem

I get the prompt to enter the password:

Enter Import Password:

upon entering a files gets created but I get the following error message:

Warning unsupported bag type: secretBag

I tried some research, but I couldn't find out if the warning poses a problem. The final goal is to create a pvk file for the private key which fails with a error message - please see my other question.

Here's the content of prvkey.pem:

Bag Attributes
    localKeyID: 01 00 00 00 
    friendlyName: **-********-****-****-****-************
    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
    X509v3 Key Usage: 80 
-----BEGIN PRIVATE KEY-----
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
************************
-----END PRIVATE KEY-----
Improve this question
5
  • @garethTheRed The certificate was issued by digicert, it's for code signing. I had had to reissue a new certificate quickly because the old certificate was already expired, so I just used the same CSR-string/file to create the new certificate. Now I need to create a new pfx-file with the new certificate. Do do that I need the private key, which I could export from the pfx-file from the old certificate.
    – Albin
    Commented Mar 10, 2020 at 17:41
  • What does the final file look like? Obviously don't paste it here, but does it begin with ----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----? Can you view it with openssl rsa -in prvkey.pem -noout -text and/or verify it with openssl rsa -in prvkey.pem -noout -check?
    – garethTheRed
    Commented Mar 10, 2020 at 18:29
  • @garethTheRed I put the content into my question, as far as I know that's how it's suppose to look like. Maybe there is another way to test if the key has been exported correctly?
    – Albin
    Commented Mar 10, 2020 at 19:15
  • @garethTheRed Not yet. I assume I should verify the "old" pfx with my exported private key?
    – Albin
    Commented Mar 10, 2020 at 19:33
  • The command simply verifies that the RSA private key is valid after you have generated it.
    – garethTheRed
    Commented Mar 10, 2020 at 20:00

1 Answer 1

Reset to default
1

Had the same error and this worked for me: During the export through the Windows MMC uncheck all options to extra secure the PKCS#12 .Also be sure that you are not selecting a user or group (in the next window) Choose a password instead.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .