Ask Your Question

I've imported an .pem key, but why wireshark recognize it as .p12?

asked 2017-11-14 14:57:52 +0000

waikeatahlok gravatar image


I am inported .pem key into it (which is converted from .p12), but still wireshark recognize as p12 and thus I can't proceed with my analysis.

I am pretty sure the conversion has nothing wrong, because I have use the pem key in another monitoring tool in my client site (which the tools would only work for pem, not p12) and the tools works fine.

So I am not quite sure why wireshark wouldn't recognize it as pem format.

The error message is "Could not load PKCS#12 key file: could not load PKCS#12 in PEM format: Base64 unexpected header error."

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2017-11-14 15:21:46 +0000

grahamb gravatar image

updated 2017-11-14 16:07:51 +0000

What does your file look like in an editor? If it has a line such as -----BEGIN PRIVATE KEY----- then it is a PEM file. If it's a load of gibberish it's a .p12. Note that a .p12 is normally encrypted and requires a password to decrypt it.

edit flag offensive delete link more


It's not gibberish, it's readable string.

The content is Bag Attributes, followed by localKeyID and friendly name, then finally the section of BEGIN PRIVATE KEY until the END PRIVATE KEY

So, it's not p12, it's .pem.

Also, in case you wonder, I've try to erase the portion Bag Attribute then try to load into wireshark again, no luck.

waikeatahlok gravatar imagewaikeatahlok ( 2017-11-14 16:03:53 +0000 )edit

So it does look like a PEM, it would seem that it's corrupted in some way such that wireshark tries to load it as a .p12.

Can you try using OpenSSL to check the PEM, e.g.

openssl rsa -in yourpem -check
grahamb gravatar imagegrahamb ( 2017-11-14 16:23:12 +0000 )edit

The output of this command is: RSA key ok, writing RSA key, followed by the sectiion of ----BEGIN RSA PRIVATE KEY----, all the way until ----END RSA PRIVATE KEY----

waikeatahlok gravatar imagewaikeatahlok ( 2017-11-14 23:17:32 +0000 )edit

There would seem to be a bug then. Unfortunately the only way it is likely to be fixed is if you provide the capture and the pem file. Raise an item at the Wireshark Bugzilla and you can mark the bug item and attachments as private to restrict access to only the Core Developers.

grahamb gravatar imagegrahamb ( 2017-11-15 10:44:59 +0000 )edit

Thanks, just do that. Let's see what do they have to say, bug 14218

waikeatahlok gravatar imagewaikeatahlok ( 2017-11-15 14:02:30 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2017-11-14 14:57:52 +0000

Seen: 8,294 times

Last updated: Nov 14 '17