000013976 - How to recreate a PKCS#12 and/or to change PKCS#12 password?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013976
Applies ToRSA Key Manager
RSA Data Protection Manager
RSA Key Manager Appliance
RSA Data Protection Manager Appliance
IssueHow to recreate a PKCS#12 and/or to change PKCS#12 password?
How to recreate a PKCS#12 and/or to change PKCS#12 password?
PKCS#12 is not FIPS compliant (though all certificates included in the PKCS#12 are FIPS compliant), how to recreate FIPS compliant PKCS#12?
PFX file exported from Internet Explorer is not FIPS compliant, how to recreate the PFX to make it FIPS compliant?
ResolutionThe following steps can be taken on any box where OpenSSL is installed (RKM or DPM Appliance can be used where OpenSSL is preinstalled) to recreate a PKCS#12:
1. Copy the existing non-conforming PKCS#12, say existingpkcs12.p12, to a temporary folder (say, /tmp folder on RKM or DPM Appliance)
2. Go to command prompt (or login as root on shell prompt on the RKM or DPM Appliance) and change working directory to the temporary folder (e.g., /tmp):
    cd /tmp
3. Extract client certificate from the PKCS#12 file "existingpkcs12.p12":
    openssl pkcs12 -in existingpkcs12.p12 -out existingpkcs12_clcert.pem -nokeys -clcerts
Note:  When prompted, provide the current password protecting the PKCS#12.  If the current PKCS#12 was not protected with any password, simply hit enter at the password prompt.
4. Extract client certificate's private key from the PKCS#12 file "existingpkcs12.p12":

    openssl pkcs12 -in existingpkcs12.p12 -out existingpkcs12_key.pem -nocerts -des3
Notes:
- On the first password prompt, provide the current password protecting the PKCS#12.  If the current PKCS#12 was not protected with any password, simply hit enter at the first password prompt.

- On the second password prompt (and a third one for verification), provide a new password to encrypt the private key file.

5. (Optional) Extract CA certificates (if exist) from the PKCS#12 file "existingpkcs12.p12":
    openssl pkcs12 -in existingpkcs12.p12 -out existingpkcs12_cacerts.pem -nokeys -cacerts

Note:  When prompted, provide the current password protecting the PKCS#12.  If the current PKCS#12 was not protected with any password, simply hit enter at the password prompt.

6. Re-create the PKCS#12, say as a new file "newpkcs12.p12", which is FIPS compliant and usable with RKM Client.  Note that latest versions of RKM/DPM Clients do not require CA certificate to be included in the PKCS#12, however some older Clients (or PS version of SOM/DTS Clients) may require to add the root CA of server certificate to the PKCS#12.
a) If CA cert(s) does not exist or is not required to be added to the new PKCS#12, use the following command (all on one line):
    openssl pkcs12 -export -in existingpkcs12_clcert.pem -inkey existingpkcs12_key.pem -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -out newpkcs12.p12
b) If CA certificate(s) exists AND it is required to be included to the new PKCS#12 (then step #5 above would have been followed), use the following command (all on one line):
    openssl pkcs12 -export -in existingpkcs12_clcert.pem -inkey existingpkcs12_key.pem -certfile existingpkcs12_cacerts.pem -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -out newpkcs12.p12

Notes:
- On the first password prompt, provide the private key password set in step #4 above.

- On the second password prompt (and a third one for verification), provide a new password to encrypt the new PKCS#12.  Make sure that the new password is at least 8 characters long.
7. Copy the new PKCS#12 "newpkcs12.p12" to the RKM Client host machine for use with the Client application.  Make sure that RKM Client configuration is updated to use the correct new password for the new PKCS#12.
Legacy Article IDa58296

Attachments

    Outcomes