Enroll server generated p12 certificate using EJBCA SOAP API

Question

I am trying to generate a p12 certificate for a created user using EJBCA SOAP API in python environment. The docs inform me to use the following request: pkcs12Req, which returns a JAVA keystore data encoded in base 64 format. How do I use that data to create a .p12 file in python environment without using JAVA sdk or is that not possible?

http://www.massapi.com/source/manual/ejbca_4_0_3/modules/systemtests/src/org/ejbca/core/protocol/ws/CommonEjbcaWS.java.html#1901

// A new PK12 request now should return the same key and certificate
    KeyStore ksenv2 = ejbcaraws.pkcs12Req(CA1_WSTESTUSER1, "foo456", null, "1024", AlgorithmConstants.KEYALGORITHM_RSA);
    java.security.KeyStore ks2 = KeyStoreHelper.getKeyStore(ksenv2.getKeystoreData(), "PKCS12", "foo456");
    assertNotNull(ks2);
    en = ks2.aliases();
    alias = (String) en.nextElement();
    X509Certificate cert2 = (X509Certificate) ks2.getCertificate(alias);
    assertEquals(cert2.getSubjectDN().toString(), getDN(CA1_WSTESTUSER1));
    PrivateKey privK2 = (PrivateKey) ks2.getKey(alias, "foo456".toCharArray());

Answer 1

The pkcs12Req command returns an base64 encoded PKCS#12 keystore. If you base64 decode it, you will get a binary blob/file that can be parsed with any standard tools, like openssl. I'm not familiar with native python command for PKCS#12, but with openssl it is:

openssl pkcs12 -in ~/tmp/caadmin.p12

It seems you can use pyOpenSSL to parse it (base64 decode it as well I think) as described in another stackoverflow post.

Answer 2

I found no way to work with JAVA Keystore in python, so I changed the flow to using pkcs10Request and creating p12 cert using openssl