I am trying to implement client authentication for my API calls. To test this I am using Postman. When adding a .pfx client certificate to Postman and calling the API end point I get:
Error: BAD_PKCS12_DATA
After some digging I found the hint to split the .pfx file into .crt and .key. So I read the openssl documentation and tried the following:
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]
But running these commands throws an error:
8000:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../openss-1.1.1s/crypto/asn1/tasn_dec.c:1149:
8000:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 errr:../openssl-1.1.1s/crypto/asn1/tasn_dec.c:309:Type=PKCS12
Does anyone know what the problem is? Btw: I exported the .pfx file from an azure key vault using:
az keyvault secret download --file <certname>.pfx --vault-name <keyvaultname> --name <certname>
which worked fine.
To narrow down the problem, I downloaded the .crt and .key file directly from the keyvault using:
az keyvault certificate download --vault-name <keyvaultname> -n <certname> -f <certname>.crt -e DER
az keyvault secret download --vault-name <keyvaultname> -n <certname> -f <certname>.key
but when I use the .crt and .key file I downloaded via Azure CLI I get another error in Postman:
Error: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE
Which is why I wanted to test splitting the .pfx into .crt and .key via openssl.
Anybody has some insight as to why the extraction is failing or what I am doing wrong?
I was having the exact same issue you are having, also using Azure key vault. What I found is that the resulting secret downloaded appeared to be text, when pfx is a binary format. Passing --encoding base64 to the download command, seemed to properly write out a binary file (counter-intuitively). openssl then worked fine with this file, using the commands you mentioned (though I had to add a -nodes option to not try and password protect the exported key) and also added -passin pass: to not prompt for an import password. So in summary, these are the commands I ran:
az keyvault secret download --file <certname>.pfx --vault-name <keyvaultname> --name <certname> --encoding base64
openssl pkcs12 -in <certname>.pfx -nocerts -out cert.key -nodes -passin pass:
openssl pkcs12 -in <certname>.pfx -clcerts -nokeys -out cert.crt