Import from certificate+private key as PEM creates unusable key, works when importing as PKCS12

[hiviah]

Let's have three keys files: 2048-bit private key, client certificate and CA certificate client.key, client.crt a ca.crt. Let's import it into slot 9c.

This makes an unusable key:

1. cat client.crt client.key > cert_key.pem
2. import the result into slot 9c in the manager
3. test it, e.g. with pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -t -l -p MYPIN - it fails (I got CKR_DATA_INVALID as error)

Importing the same cert/key pair as PKCS#12 works though:

1. openssl pkcs12 -export -out cert_key.p12 -inkey client.key -in client.crt -certfile ca.crt -nodes
2. import into slot 9c in the manager
3. test it again with pkcs11-tool, now the signature generation works

[dainnilsson]

Importing PEM files containing multiple objects isn't supported. You can import the two files separately.

Edit: To clarify what is happening: Only the first object is being imported (the cert), so there is no key in the slot, and thus it is not usable.

[hiviah]

OK I can confirm this. If I split them and import twice, it works.

Also, if the certificate contains some extra text outside the ---BEGIN CERTIFICETE--- end ---END CERTIFICATE---, it may fail with "Certificate is to large to fit in buffer."

So it basically seems that PIV manager needs to do some sanity checks on the files before importing them.

[dagheyman]

Support for PEM files including both a certificate and a private key is now added, and will be included in the next release.

[lvandenb]

Importing pem files containing cert + priv key is working. But importing pfx is not working. I used xca and I used Microsoft certificate manager, no way. pem with key and no password : yes