Hi,
We are struggling importing a microsoft certificate server issued server certificate into edir (as *.pfx) – we are getting a -1402 0xFA86 NICI E ALGORITHM NOT SUPPORTED, any ideas?
Regards,
N.
Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
Hi,
We are struggling importing a microsoft certificate server issued server certificate into edir (as *.pfx) – we are getting a -1402 0xFA86 NICI E ALGORITHM NOT SUPPORTED, any ideas?
Regards,
N.
The openssl version used in eDirectory doesn’t know how to deal with PKCS12 files with newer Keybags used by CAs.
Use this command to verify if your PKCS#12 is using PBES2
openssl pkcs12 -inidmapps01.example.com.p12 -info -noout
Output:
MAC: sha1, Iteration 8192
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 8192
Certificate bag
Certificate bag
Certificate bag
Ask the customer to export the p12 file with legacy encryption or convert it yourself:
# Convert to PEM
openssl pkcs12 -in idmapps01.example.com.p12 -out idmapps01.example.com.pem
# Convert back to P12
openssl pkcs12 -in idmapps01.example.com.pem -export -out idmapps01.example.com.p12
# for openssl3 add "-legacy"
# Print info about PKCS#12 structure again
openssl pkcs12 -inidmapps01.example.com.p12 -info -noout