Failed to extract certificates from the PKCS12 certificate file

After provisioning an error occurred indicating failure to extract certificates from the PKCS12 certificate file.

Symptoms

After clicking Continue on the Configure page after provisioning your Data Gate instance, you get an error:

Unable to connect. Failed to extract certificates from the PKCS12 certificate file.
Executed command had non-zero return code 1 . Command output was [Error outputting keys and
certificates, 804BD61E837F0000:error:0308010C:digital envelope
routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library
context, Algorithm (DES-EDE3-CBC : 27), Properties ()] Verify that the certificate is valid.

Causes

After Data Gate version 5.2.0 service, we upgraded to use openssl 3.0 in our container. The legacy cipher DES-EDE3-CBC used for password encryption for your PKCS12 file before is unsupported for decryption.

Resolving the problem

It is possible to modernize the certificate file by re-encrypting it using the openssl program. Extract your certificates on a machine with openssl 1.1.1:

cert_file=mycert.p12
openssl pkcs12 -in $cert_file -nocerts -nodes -password pass:PASSWORD | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > server.key
openssl pkcs12 -in $cert_file -clcerts -nokeys -password pass:PASSWORD | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.pem
openssl pkcs12 -in $cert_file -cacerts -nokeys -chain -password pass:PASSWORD | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.pem

Re-encrypt it using:

openssl pkcs12 -export -inkey server.key -in server.pem -certfile ca.pem -out mynewcert.p12 -keypbe aes-256-cbc -certpbe aes-256-cbc

Use the new certificate mynewcert.p12 to configure Data Gate.