[Help-gnutls] Re: _gnutls_fbase64_decode and PEM headers

Michael Welsh Duggan mwd at cert.org
Thu Jun 14 17:51:47 CEST 2007

Simon Josefsson <simon at josefsson.org> writes:

>> Question B: Am I doing something wrong?
> Yes, most likely you really want to use PKCS#12 to transport encrypted
> private keys instead.  That format can also encode client certificates
> and/or CA certificates as well.  The API to use is:
>   extern int
>     gnutls_certificate_set_x509_simple_pkcs12_file
>     (gnutls_certificate_credentials_t res, const char *pkcs12file,
>      gnutls_x509_crt_fmt_t type, const char *password);
> You should be able to convert to from OpenSSL-encrypted files to PKCS#11
> using one of the OpenSSL command line tools.

Okay.  I have attempted this using the gnutls certtool program.  To be

a) I created a cert and key using certtool.
b) I used 
        rv = gnutls_certificate_set_x509_key_file(queue->root->cred,

This worked.  I then tried the following:

a) Created a PKCS-12 key using:
   certtool --load-certificate clientcert.pem \
     --load-privkey clientkey.pem --to-p12 --outfile client.p12
   (Used an empty password)
b) Used 
        rv = gnutls_certificate_set_x509_simple_pkcs12_file(
   (Used an empty password)

When I do this, I get the following error:
    ASN1 parser: Error in TAG.

Gnutls version is 1.4.1.  Any suggestions?

Michael Welsh Duggan
(mwd at cert.org)

More information about the Gnutls-help mailing list