.net – Encrypt RSA PRIVATE KEY as OpenSSL using C#

I want to encrypt the RSA PRIVATE KEY given by the piece of code:

var privateKey = cert.GetRSAPrivateKey().ExportRSAPrivateKey()

This is giving the RSA PRIVATE KEY after decrypting using openssl with command:

rsa -text -in private.key -passin pass:passphrase

Now I want a private key as in the command:

OpenSSL> pkcs12 -in src_test_resources_bokkzbv.p12 -nocerts -passin pass:yEzgzmKPkAgj6p17sHnM-des
MAC verified OK
Bag Attributes
    friendlyName: name
    localKeyID: <some random hex>
Key Attributes: <No Attributes>
Enter PEM pass phrase: passphrase
Verifying - Enter PEM pass phrase: passphrase

Is there a way to do this in C# (.Net Core 3.1).
Someone please help with this.

openssl – Windows: CertUtil “Error => Pending OCSP response download”

I am trying to debug why Windows does not accept the responses from my OCSP responder as valid. I am using the command
CertUtil -downloadOcsp .certs .ocsp_responses downloadonce
A single p7b certificate is in the certs directory. I read the log of my openssl 1.1.1f OCSP responder in real-time, and I can see that
the connection is made. And the output from certutil looks like it downloads the response. But certutil reports an error, and no ocsp response is saved in .ocsp_responses

The output from certutil is:

==== Downloaded OCSP Responses ====
7/5/2021 2:56 PM 44.368s :: Error => Pending OCSP response download — <8958F37AF76E2151B548E950719789A1FA705F0A> <saratoga.candy-land.name> <ca-sub.candyland.org> <saratoga.candy-land.name_exchange_20210630145440_exchange.p7b>

Total: 1 Downloaded: 0 Warnings: 0 Pending: 1 Errors: 0 Maximum Thread Count: 2

CertUtil: -downloadOcsp command completed successfully.

I get the same behavior on Windows 10 Pro, and Windows Server 2019. The OCSP responder is openssl 1.1.1f

What might the problem be, and How can I correct it?

openssl – Extract RSA Public Key from public Certificate

I have public certificate with 2048 bit RSA public key for encrypt data.
I need use openssl to extract this public key.
Certyficate is PEM .cer file, and extracted key should be PEM too.

I use command to extract Public key

openssl x509 -pubkey -noout -in cert.cer  > pubkey.pem

And output is:


And I try to convert it to RSA Public key with PKCS#1 padding and AN1 encoding

openssl x509 -inform PEM -in cert.cer -outform PEM -pubkey -nocert -out pubkeyRSA.pem

And output is


After decode it with Base64 and used to encrypt data, server show me an error, that encrypted key is wrong. Also, trying to load this keys to LockBox library for Delphi programs, it throws an exception “Wrong asymetric key”

The certificate is:


Is it correctly trying to extract this key from the certificate?

openssl – Can mutual TLS work with a self-signed client certificate?

Is it conceptually possible to allow in the server a specific self signed client certificate for mutual TLS?

If possible but not recommended. Why?

I have a client to who I have to provide a server that does mutual TLS auth. But they say they wont sign our server certificate nor will they let us sign their client certificate. How should I approach this?

crl – OpenSSL and connection time

Does anyone know about the search mechanism used in OpenSSL w.r.t verifying a serial number against a CRL file?
I understand that in the case of Base-CRL approach, the file size will grow over time and also it depends upon the number of revocations and length/size of the serial number.

Any idea as to whether OpenSSL makes use of binary search or linear search for CRL checking? Due to the environmental constraints, I’m not able to perform some tests to understand the time taken for a CRL check with different CRL file sizes and so looking for an answer here.

Getting different results with a Bitcoin address generator c++ openssl

I’m making a bitcoin address generator from a private key in C++, I followed several examples on the net and I don’t get the same result after the public key is hashed with sha256 and ripemd160

Example: https://programmer.help/blogs/how-bitcoin-addresses-are-generated.html

Private Key: ccea9c5a20e2b78c2e0fbdd8ae2d2b67e6b1894ccb7a55fc1de08bd53994ea64

Public Key: 04d061e9c5891f579fd548cfd22ff29f5c642714cc7e7a9215f0071ef5a5723f691757b28e31be71f09f24673eed52348e58d53bcfd26f4d96ec6bf1489eab429d

Correct Hash:
Ripemd: 2b6f3b9e337cedbb7c40839523fb1100709c12f7

Resulting Hash:
Ripemd: 6d0933c13cad83f9f67657e1f87e8acccc2b98e6

#include <stdio.h>
#include <stdlib.h>
#include <iostream>
#include <string>
#include <cstring>
#include <iomanip>
#include <sstream>
#include <crtdbg.h>
#include <locale>
#include <algorithm>
#include <openssl/ec.h>
#include <openssl/obj_mac.h>
#include <openssl/bn.h>
#include <openssl/sha.h>
#include <openssl/ripemd.h>

using namespace std;

string inputSHA256;
string outputSHA256;

char inputRipemd(41);
char outputRipemd(41);

string sha256(const string str)
    unsigned char hash(SHA256_DIGEST_LENGTH);
    SHA256_CTX sha256;
    SHA256_Update(&sha256, str.c_str(), str.size());
    SHA256_Final(hash, &sha256);
    stringstream ss;
    for (int i = 0; i < SHA256_DIGEST_LENGTH; i++)
        ss << hex << setw(2) << setfill('0') << (int)hash(i);
    return ss.str();

void ripemd160(char *string, char outputBuffer(41))
    unsigned char hash(RIPEMD160_DIGEST_LENGTH);
    RIPEMD160_CTX ripemd160;
    RIPEMD160_Update(&ripemd160, string, strlen(string));
    RIPEMD160_Final(hash, &ripemd160);
    for (int i = 0; i < RIPEMD160_DIGEST_LENGTH; i++)
        sprintf_s(outputBuffer + (i * 2), sizeof(outputBuffer + (i * 2)), "%02x", hash(i));
    outputBuffer(40) = 0;

int main()
    EC_KEY *eckey = NULL;
    EC_POINT *pub_key = NULL;
    const EC_GROUP *group = NULL;
    BIGNUM start;
    BIGNUM *res;
    BN_CTX *ctx;

    // Elliptic Curve
    ctx = BN_CTX_new(); // ctx is an optional buffer to save time from allocating and deallocating memory whenever required

    res = &start;
    BN_hex2bn(&res,   "ccea9c5a20e2b78c2e0fbdd8ae2d2b67e6b1894ccb7a55fc1de08bd53994ea64");

    eckey = EC_KEY_new_by_curve_name(NID_secp256k1);
    group = EC_KEY_get0_group(eckey);
    pub_key = EC_POINT_new(group);

    EC_KEY_set_private_key(eckey, res);

    /* pub_key is a new uninitialized `EC_POINT*`.  priv_key res is a `BIGNUM*`. */
    if (!EC_POINT_mul(group, pub_key, res, NULL, NULL, ctx))
        printf("Error at EC_POINT_mul.n");

    EC_KEY_set_public_key(eckey, pub_key);

    char *cc = EC_POINT_point2hex(group, pub_key, POINT_CONVERSION_UNCOMPRESSED, ctx);
    char *c = cc;


    string bytes(cc);
    string bytesLower = "";

    // To Lower Case
    std::locale loc;

    for (auto elem : bytes){
        bytesLower += tolower(elem, loc);

    cout << "Public Key: " << bytesLower << endl;

    // Sha256
    inputSHA256 = bytesLower;
    outputSHA256 = sha256(inputSHA256);

    cout << "SHA256: " << outputSHA256 << endl;

    //transform(outputSHA256.begin(), outputSHA256.end(), outputSHA256.begin(), ::toupper);

    // Ripemd
    strcpy(inputRipemd, outputSHA256.c_str());
    ripemd160(inputRipemd, outputRipemd);

    string ripemd(outputRipemd);

    cout << "Ripemd: " << ripemd << endl;
    string tc = "00";
    tc += ripemd;

    // Checksum
    string outputSHA256Checksum = sha256(sha256(tc));

    for (int i = 0; i < 8; i++) {
        tc += outputSHA256(i);

    cout << "Address HEX: " << tc << endl;

    return 0;

openssl won’t verify certs beyond intermediate CA, error 20 even when using CApath or CAfile

Ultimately, I am trying to configure an ocsp server on ubuntu 20.4, but I cannot even verify any certs issued by my intermediate CA yet.

I have configured a ca-root called ca-root.mydomain.org. I also have configured a intermediate ca called ca-sub.mydomain.org. Finally, there is my future ocsp server, ocsp-server.mydomain.org.

First, I make a self-signed cert ca_root_cert_file. Then I have the ca-root sign a cert for ca-sub.mydomain.org, ca_sub_cert_file. I then create a cert chain pem file “sub-chain.pem”. It contains the sub-ca cert, then the ca-root cert, in that order.

Next, I then copy both ca_root_cert_file and ca_sub_cert_file to a “$CA_ROOTS_HASHES_DIR” directory, and copy all the root certs in /etc/ssl/certs there as well. I run the openssl utility c_rehash -v "$CA_ROOTS_HASHES_DIR". I expect I can now use this as the argument for the -CApaths parameter of openssl verify.

Next, I have the ca-sub sign a cert for ocsp-server.mydomain.org. I then create a cert chain pem file “ocsp_signer_chain.pem”. It contains the ocsp-server cert, the sub-ca cert, then the ca-root cert, in that order. I don’t expect to need this ocsp_signer_chain.pem, but I have it.

I can use openssl verify to verify ca_sub_cert_file:

`openssl verify -verbose -show_chain -CApath "$CA_ROOTS_HASHES_DIR" "$ca_sub_cert_file"`
depth=0: C = US, ST = California, L = Pacifica, O = Mydomain, CN = ca-sub.mydomain.org (untrusted)
depth=1: C = US, ST = California, L = Pacifica, O = Mydomain, CN = ca-root.mydomain.org, emailAddress = deft@mydomain.org

But I can’t verify ocsp-server_cert_file. I always get error 20 at 0 depth lookup: unable to get local issuer certificate.
I’ve tried CAfile with sub-chain.pem vs. ocsp_signer_chain.pem vs. -CApath "$CA_ROOTS_HASHES_DIR".
I’ve tried with and without -untrusted "$ca_sub_cert_file"

openssl verify -verbose -show_chain -CApath "$CA_ROOTS_HASHES_DIR" -untrusted  "$ca_sub_cert_file" "$ocsp-server_cert_file"`
C = US, ST = California, L = Pacifica, O = Mydomain, CN = ocsp-signer.mydomain.org
error 20 at 0 depth lookup: unable to get local issuer certificate
error ocsp.mydomain.org_ocspserver_ocsp-signing.crt: verification failed

What am I doing wrong? I’ve been searching for days, but the answers I’ve found all end with using CApath or CAfile

I’m surprised that even when verifying ca_sub_cert_file, openssl reports “ca-sub.mydomain.org (untrusted)” I expected that having the cert in CA_ROOTS_HASHES_DIR would make it trusted. :/

ssh – Why Getting error curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to hostname:8065

I tried to use cURL command in Ubuntu terminal. The command is

curl -X POST  https://hostname:8065/finance/1.0/go 
-H "accept: application/json" 
-H "Content-Type: application/jwt" 
-H "x-v: 1.0" 
--cert asa.pem --key asa.key 
-d eyJ0eX -k

When I try above curl command I got an error.

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to hostname:8065

How can I fix this problem