Bad Decrypt Error

I am using Json Web Token module in NodeJS to generate JWT.
I converted .p12 file to .pem with ‘only private key’ option using openssl.

While trying to get token(signing certificate), Json Web Token module throws an error:
06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt

After research, I see that the problem occurs if openssl version is different for encryption and decryption.

Can you please tell me the version of openssl that you encrypt the certificate?
Also if you think that the problem cause is different, I will appreciate to hear from you.

My version of openssl:
LibreSSL 2.6.4

Hi Eray!

What command are you using on openssl? Using version 2.6.5 it works on our side, and there shouldn’t be any difference between 2.6.4 and 2.6.5 in this, so I think the cause is different.

Does the .pem file you get start with -----BEGIN PRIVATE KEY-----?

did you use LibreSSL 2.6.4 to convert .p12 to .pem, if so, is it the same version that you use for decryption as well?
Also I found various other reasons:



can you also post the module which is generating the error?

Thank you for your response.

The command that I used:
Openssl pkcs12 -in filename.p12 -out filename.pem -nocerts

The .pem file start with -----BEGIN ENCRYPTED PRIVATE KEY-----
If I changed the tag with -----BEGIN PRIVATE KEY----- I get Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag

I used LibreSSL 2.6.4 to convert .p12 to .pem.
NodeJS uses its own openssl. I checked with node -p process.versions command and the version of openssl that NodeJS uses 1.1.0j.
I couldn’t update Node’s openssl.
Maybe this is the problem.

The module I used: https://www.npmjs.com/package/jsonwebtoken

I solved the problem with the help of above link.

Used the following command to decrypt an encrypted key:
openssl rsa -in filename.key -out filename_output.key

@CaspervanderHarst
This looks similar to your problem, does this solve it for you as well?

No, I think the problem on my side were the linebreaks in the RSA key. This is the main thing I refactored yesterday and now I am receiving AccessTokens

To summarize the problem and solution here (@erayaras, you can accept this if you agree, and it will show up in the first post so that readers can immediatly find it):

If you use openssl (with pkcs12 command) to turn your p12 into a pem, your RSA Private key stays encrypted (file starts with -----BEGIN ENCRYPTED PRIVATE KEY-----).
To get the unencrypted key, you can use openssl (with rsa command) to turn your pem file into a key file. This key file should then start with -----BEGIN PRIVATE KEY-----.

EDIT: You can also do this in one command: use -nodes in your openssl command.
So: openssl pkcs12 -in input.p12 -out output.pem -nodes
This will give you a .pem file with an unencrypted private key.

Ideally however, you would want private keys to stay encrypted and only be decrypted when using it for signing for example. Unencrypted private keys lying around are a security risk, as should be clear. More info on openssl commands can be found here.