Generating a PFX cert providing CRT and KEY

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.

https://www.trustedfirmware.org/projects/mbed-tls/

Other

5.47k stars 2.59k forks source link

Generating a PFX cert providing CRT and KEY #5809

Open josesimoes opened 2 years ago

josesimoes commented 2 years ago

Suggested enhancement

I can't find a way to generate a PFX file from a CRT and KEY file. Maybe I'm overlooking something...

Justification

I'm currently on a "quest" to prove that Mbed TLS can be used instead of OpenSSL to generate certificates for Azure IoT Hub usage. One of the scenarios requires a PFX file (and password) with the device certificate. So far, by using the gen_key and cert_write applications, I'm able to generate the key and certificate. The final (missing) step it to be able to combine those in a PFX file.

tom-cosgrove-arm commented 2 years ago

There's currently minimal support for PKCS#12 in Mbed TLS, but we would welcome contributions of example code (to go in programs/).

If you ask on the project mailing list (mbed-tls@lists.trustedfirmware.org) others may be able to help.

josesimoes commented 2 years ago

@tom-cosgrove-arm understood, but can you confirm that the require "primitives" to accomplish the above exist on MbedTLS?

gilles-peskine-arm commented 2 years ago

The pkcs12 module in Mbed TLS specifically handles PKCS#12 encryption. There's also an ASN.1 module and of course X.509 support. I'm not really familiar with PKCS#12, I think it should be possible to implement it with the primitives, but it's possible that full PKCS#12 support requires extra work in pkcs12.c (which hasn't changed in a long time and might not support modern algorithms, if the PFX ecosystem uses modern algorithms) or in ASN.1.