000014897 - To generate FIPS compliant pkcs12 file using Openssl

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014897
IssueTo generate FIPS compliant pkcs12 file using Openssl
In FIPS mode, when importing pkcs12 file created using openssl (with default options), R_PKCS12_DECODE returns error 10009 : NOT_AVAILABLE.
CauseBy default the private key is encrypted using triple DES. However, the certificate is encrypted using 40-bit RC2. RC2 is not a FIPS approved algorithm and therefore not available in the FIPS mode.
ResolutionSpecify option -descert when using openssl pkcs12 as shows,

openssl pkcs12 -export -in <your server cert>.pem -inkey <your server key>.pem -out mycert.p12 -descert

The -descert option will instruct openssl to encrypt pkcs12 certificates with triple DES.
Legacy Article IDa48883

Attachments

    Outcomes