000034631 - How to convert a PKCS#12 (P12) from non-FIPS to FIPS-140-2 compliant in RSA Data Protection Manager?

Document created by RSA Customer Support Employee on Jan 4, 2017Last modified by RSA Customer Support on Jul 2, 2018
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034631
Applies ToRSA Product Set: Data Protection Manager
RSA Product/Service Type: Data Protection Manager Appliance 
RSA Version/Condition: 3.5.2.x

Possible C client errors

  • R_KM_ERROR_CERT - 10039
  • R_KM_ERROR_CA_CERT - 10040

DPM Server may log the following error when upload a PKCS#12 in the certificate pool:

Unable to load the PKCS12 KeyStore with the given password

Error if you try to export certificate out of the PKCS#12 to re-encode it when using OpenSSL

dpm-4:/tmp # openssl pkcs12 -in /tmp/certificate.pfx  -info -cacerts -nokeys
Enter Import Password:
MAC Iteration 2000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
Error outputting keys and certificates
124011:error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm:evp_pbe.c:89:TYPE=pbeWithSHA1And40BitRC2-CBC
124011:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:83:
124011:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:123:
dpm-4:/tmp #

Error if you try to export certificate out of the PKCS#12 to re-encode it when using Java keytool

dpm-4:/tmp # keytool -importkeystore -srckeystore /tmp/cert.pfx -srcstoretype pkcs12 -destkeystore /tmp/new.p12 -deststoretype pkcs12
Enter destination keystore password:
Enter source keystore password:
keytool error: java.lang.SecurityException: Algorithm not allowable in FIPS140 mode: PBE/PKCS12/SHA1/RC2/CBC/40
dpm-4:/tmp #
ResolutionIf you need to convert a non-FIPS-140-2 compliant PKCS#12 into one using FIPS-140-2 compliant algorithm you can use the following steps:
  1. Note the current Java security policy file used. In the example below, it is pointing to /opt/jre/lib/security/java.security.rsa

dpm-4:/ # ls -l /opt/jre/lib/security/java.security
lrwxrwxrwx 1 root root 39 Jan  4 05:46 /opt/jre/lib/security/java.security -> /opt/jre/lib/security/java.security.rsa

  1. Change the Java security policy file to use the non-FIPS one:

ln -sf /opt/jre/lib/security/java.security.rsa.nonfips /opt/jre/lib/security/java.security

  1. Convert the PKCS#12 using Java keytool:

dpm-4:/ # keytool -importkeystore -srckeystore /tmp/client.pfx -srcstoretype pkcs12 -destkeystore /tmp/new.p12 -deststoretype pkcs12
Enter destination keystore password: <enter destination keystore password>
Enter source keystore password: <enter source keystore password>
Entry for alias le-fb7aeeec-ea7c-448a-bfe9-30e050ba9b11 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
dpm-4:/ #

  1. Revert to the Java security file previously used:

ln -sf /opt/jre/lib/security/java.security.rsa /opt/jre/lib/security/java.security

The new PKCS#12 file will now be encrypted with a FIPS-140-2 compliant algorithm.
NotesFollowing those instructions will affect only the encryption and MAC algorithm of the PKCS#12 file. It will not alter the inner certificates. This means if the certificates it contains are not signed with a FIPS 140-2 compliant algorithm, the resulting P12 may also fail FIPS validation.