There is a use case the EC private key generated on the Layer7 gateway is sent to AWS. Both the EC public/private keys for this use case need to be sent ahead of time.

The current key is expiring and the key was renewed on the gateway and shared it with the AWS team but their app is responding with 401 back to the gateway after they try to use the new key.

Once a new EC key is created on gateway, when the private key is extracted, it's creating a .p12 key store file that contains both public/private key. 

When attempting to view the contents of this new p12 file, the below is observed. How do you extract just the EC private key? The keystore is giving the encrypted private key. 

$ openssl pkcs12 -info -in custjwt2022.p12
Enter Import Password:
MAC Iteration 102400
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 51200
Bag Attributes
localKeyID: C5 61 30 E3 22 84 79 9E 30 F8 60 A5 68 7D 29 DB 6B A1 69 6F
friendlyName: custjwt2022
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIGMMEAGCSqGSIb3DQEFDQEFDDAOBAgUY2uT/M34VQICCAAw
FAYIKoZIhvcNAwcECI3R6KNy3/aABEiaSo17XJu8i+/DB4z3U0GufR1TqVHQ+KWB
S9t5yRdqlCwsAI+DGqx7sh334eGlqIzvYBM9YAwfyg3g3tB91PlrdmM5cpRXxrc=
-----END ENCRYPTED PRIVATE KEY-----
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 51200
Certificate bag
Bag Attributes
localKeyID: C5 61 30 E3 22 84 79 9E 30 F8 60 A5 68 7D 29 DB 6B A1 69 6F
friendlyName: custjwt2022
subject=/CN=custjwt2022
issuer=/CN=custjwt2022
-----BEGIN CERTIFICATE-----
MIIBZTCCAQugAwIBAgIJANpCaNSGwybkMAoGCCqGSM49BAMCMBYxFDASBgNVBAMT
C2N1c3Rqd3QyMDIyMB4XDTIyMDYwODE0NDYwN1oXDTI2MDYwODE0NDYwN1owFjEU
MBIGA1UEAxTBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT2
UauTCcIXjowf7/IqlXxtG31UCqmNAcdBJEJbqKSKAiUxQsy4DtYzRqpnv3IWoCaG
4u+fh6Rq8ylZqoe0GCUEo0IwQDAdBgNVHQ4EFgQUxWEw4yKEeZ4w+GClaH0p22uh
aW8wHwYDVR0jBBgwFoAUxWEw4yKEeZ4w+GClaH0p22uhaW8wCgYIKoZIzj0EAwID
SAAwRQIhAN/YLfmPA76f9XeBrD0MMY5deXDYmuP8RJdLg9UEsJWFAiBe/tbbyF7b
57oP5CoOm4FkLbGqyKYfL2n7dzOjkfocig==
-----END CERTIFICATE-----

API Gateway: 10.0

The only way to get the encrypted key out of the file is to use some kind of command (like sed) to extract the parts you want from the p12 file. There are no OpenSSL commands you can use to extract the key intact. It would look something like this:

1. Write the p12 file to a flat file
[root@ssg10-3 Key]# openssl pkcs12 -info -in signed.p12 -passin pass:7layer -passout pass:7layer > /home/ssgconfig/Key/extractPK
[root@ssg10-3 Key]# cat extractPK
Bag Attributes
    localKeyID: B6 4A 52 A6 70 46 1B C0 04 E2 B2 AE 6B 73 45 41 4D EE 08 2B
subject=/C=US/ST=Texas/L=DFW/O=ABC Company/OU=Testing/CN=ssg10-3.example.net/[email protected]
issuer=/C=US/ST=Texas/L=DFW/O=ABC Company/OU=Testing/CN=ssg10-3.example.net/[email protected]
-----BEGIN CERTIFICATE-----
MIICkDCCAjWgAwIBAgIJAMpSHjobm2xUMAoGCCqGSM49BAMCMIGjMQswCQYDVQQG
EwJVUzEOMAwGA1UECAwFVGV4YXMxDDAKBgNVBAcMA0RGVzEUMBIGA1UECgwLQUJD
IENvbXBhbnkxEDAOBgNVBAsMB1Rlc3RpbmcxKTAnBgNVBAMMIGh1ZGphMDMtc3Nn
MTAtMy5sdm4uYnJvYWRjb20ubmV0MSMwIQYJKoZIhvcNAQkBFhRhZG1pbkBhYmNj
b21wYW55LmNvbTAeFw0yMjA2MjcxNjM3NDFaFw0yNzA2MjYxNjM3NDFaMIGjMQsw
CQYDVQQGEwJVDAKBgNVBAcMA0RGVzEUMBIGA1UE
CgwLQUJDIENvbXBhbnkxEDAOBgNVBAsMB1Rlc3RpbmcxKTAnBgNVBAMMIGh1ZGph
MDMtc3NnMTAtMy5sdm4uYnJvYWRjb20ubmV0MSMwIQYJKoZIhvcNAQkBFhRhZG1p
bkBhYmNjb21wYW55LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLOHMJUt
cpMtla1kZbJD/b1RyWo3A8quA6B9+qSK8cpZefxRTGb3Vo4EO4RQjYWYJAc5Q5Ck
ls3gpLQHnIHWkQGjUDBOMB0GA1UdDgQWBBSrjgC2v3iPTqsl2kUXxFxgtSitIDAf
BgNVHSMEGDAWgBSrjgC2v3iPTqsl2kUXxFxgtSitIDAMBgNVHRMEBTADAQH/MAoG
CCqGSM49BAMCA0kAMEYCIQD9P9XIoli/Vgngaq8f0yqFDjfRZGtSwpZeIMkdfnTP
bAIhAIK/+ieKFYvFAFQcLi9RzFwVhKU0pVNbMhjr9rjj6pUE
-----END CERTIFICATE-----
Bag Attributes
    localKeyID: B6 4A 52 A6 70 46 1B C0 04 E2 B2 AE 6B 73 45 41 4D EE 08 2B
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHVMEAGCSqGSIb3DQEFDTAzMBsGCSqGSIb3DQEFDDAOBAgVMrrSSugl/wICCAAw
FAYIKoZIhvcNAwcECDgZ6daOZR2FBIGQxedsOUVNthxkJRVRjhON24hWr1ALWpha
NeCkwXDh6WJRn8IJOHTGY3euiSBXUFytJmlY6iQ2HCs
KCG6srIRgePc9BIF80Us7neY0sgdg1jrv6SwFJpnc9Kkn1VbddjpYJi29BT9e0oq
wPEQLyDPcd3F+ISksrT7/VqASqSg59vW
-----END ENCRYPTED PRIVATE KEY-----

2. Extract the encrypted private key
[root@ssg10-3 Key]# sed -n '/-----BEGIN ENCRYPTED PRIVATE KEY-----/,$p' extractPK > /home/ssgconfig/extractedPK
[root@ssg10-3 Key]# cat extractedPK
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHVMEAGCSqGSIb3DQEFDTAzMBsGCSqGSIb3DQEFDDAOBAgVMrrSSugl/wICCAAw
FAYIKoZIhvcNAwcECDgZ6daOZR2FBIGQxedsOUVNthxkJRVRjhON24hWr1ALWpha
NeCkwXDh6WJRn8IJOHTGY3euiSBXUFytJmlY6iQ2HCs
KCG6srIRgePc9BIF80Us7neY0sgdg1jrv6SwFJpnc9Kkn1VbddjpYJi29BT9e0oq
wPEQLyDPcd3F+ISksrT7/VqASqSg59vW
-----END ENCRYPTED PRIVATE KEY-----