-1402 0xFA86 NICI E ALGORITHM NOT SUPPORTED

Hi,
We are struggling importing a microsoft certificate server issued server certificate into edir (as *.pfx) – we are getting a -1402 0xFA86 NICI E ALGORITHM NOT SUPPORTED, any ideas?
Regards,
N.

  • Suggested Answer

    0  

    The openssl version used in eDirectory doesn’t know how to deal with PKCS12 files with newer Keybags used by CAs.

     

    Use this command to verify if your PKCS#12 is using PBES2

    openssl pkcs12 -inidmapps01.example.com.p12 -info -noout

     

    Output:

    MAC: sha1, Iteration 8192

    MAC length: 20, salt length: 20

    PKCS7 Data

    Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256

    PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 8192

    Certificate bag

    Certificate bag

    Certificate bag

     

    Ask the customer to export the p12 file with legacy encryption or convert it yourself:

     

    # Convert to PEM

    openssl pkcs12 -in idmapps01.example.com.p12 -out idmapps01.example.com.pem

     

    # Convert back to P12

    openssl pkcs12 -in idmapps01.example.com.pem -export -out idmapps01.example.com.p12

    # for openssl3 add "-legacy" 

    # Print info about PKCS#12 structure again

    openssl pkcs12 -inidmapps01.example.com.p12 -info -noout