I have exported an existing certificate+key from an ASA 5510:
asa5510(config)# crypto ca export MYTRUSTSTORE pkcs12 MYPASSWORD
Saved the output in a file (vpn-cisco.pkcs12), and now I am trying to pull the cert and the key into separate files like so:
openssl pkcs12 -in cisco-vpn.pkcs12 -nocerts -out privateKey.pem
The error I receive:
139708630054816:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
139708630054816:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=PKCS12
Same error if I run openssl pkcs12 -info ... or any other command.
I have tried to export the file again and compare using ASDM instead of the CLI, but the file is exactly the same.
Googling for the error only says the encoding of the file might be somehow off, but no specific details.
EDIT (7 years later): I came across the same issue again, having to maintain an ASA and a Zimbra setup using the same certs, and came across my own question as the working answer.
Extra thanks for all the additional input like needing to sanitize the p12 file for empty lines etc.
EDIT 2: PKCS12 export from the ASA encrypts the private key, ZCS isn't happy with that, so the password needs to be dropped, so first extract the key:
openssl pkcs12 -in cisco-vpn.pkcs12.bin -nocerts -out privateKey.pem
And then drop the password:
openssl rsa -in privateKey.pem -out key_no_pass.txt
This is strange. I have the same problem and found this question to have no answer. I then did more searching and found a yaleman.org post that says they found the answer and linked to this very question. Yet there was no answer here. Retroactively fixing that, full props to yaleman.
Long and short: You need to convert the pfx from Base64 to openssl's binary format.
Then you can convert it to a PEM and get the key or cert separately.
If you have trouble with the decode, check your file and delete any blank lines in it. Our ASA was saving them with leading blanks and openssl doesn't like that.
Encountered the same issue, turned out that my cert was double base64 encoded...
If you're doing this on Windows you could try using the openSSL exe located at
"C:\Program Files\Git\usr\bin\openssl.exe". That worked for me, after I originally got this error when using openssl from a Git bash session. Using the openSSL.exeI got prompted for the .pfx password, which hadn't happened previously. (I also regenerated the original .pfx at one point, in case there was some corruption issue).