OpenSSL stores private keys in an
undocumented PEM format (the key data is DER-encoded and the result is
ASCII-armoured), which Cryptlib
does not support.
pemtrans reads an OpenSSL RSA private key and the corresponding signed
public key certificate, and writes a PKCS #15 keyset that Cryptlib can
use. The included manual page explains how to use the program.
Cryptlib requires (and respects) the KEYUSAGE attribute on certificates.
Some certificates do not contain this attribute, and pemtrans issues a
warning when it encounters them, because Cryptlib will probably reject
it when you try to use it for something, e.g. in a TLS server.
OpenSSL, by default, does not set KEYUSAGE. This can be fixed by
adding a line like the following to openssl.cnf before
generating the key and certificate (the attributes specified here are
enough for the result to be used in a TLS server):
keyUsage = cRLSign, digitalSignature, keyEncipherment, keyCertSign
Use, modification, and distribution of pemtrans is allowed without
any limitations. There is no warranty, express or implied.
Please send questions and comments to firstname.lastname@example.org.