IBM Support

How to change key and certificate PBE (password based encryption) type for PKCS#12 package PASE OpenSSL.

Troubleshooting


Problem

In this technote you have obtained a PKCS#12 file that contains an unsupported encryption type. The private key (PKCS#8) was encrypted using an unsupported algorithm. This document will provide instructions for extracting the contents of your PKCS#12 package, re-encrypting the private key with a supported algorithm, and repacking your PKCS#12 file.
PKCS#12 type files are encrypted objects that provide security to protect your private key and certificates. Within this package may contain a private key, CA certificate or CA Chain, and a server/client certificate. The private key are contained inside the PKCS#12 package as a PKCS#8 object. PKCS#8 objects restrictions and rules found in https://www.openssl.org/docs/man3.0/man1/openssl-pkcs8.html.
  

 Package

Description

PKCS # 1

The RSA encryption standard using RSA public key system.

PKCS # 3

The Diffie-Hellman key-agreement standard.

PKCS # 5

The password-based encryption standard (PBE).

PKCS # 6

The extended-certificate standard (replaced by x509 v3 extension).

PKCS # 7

The cryptographic message syntax standards.

PKCS # 8

Private-key information syntax.

PKCS # 9

This defines attributes.

PKCS # 10

The certification request syntax standard.

PKCS # 11

The cryptographic token interface standard such as smart cards.

PKCS # 12

The personal information exchange syntax standard.

PKCS # 13

The elliptic curve cryptography.

PKCS # 14

This is currently under active development.

PKCS # 15

The cryptographic token information.

 

Additional information about PKCS#12, PKCS#8 and PKCS#5 (legacy encryption) can be found here:
https://www.openssl.org/docs/man1.0.2/man1/pkcs12.html
https://www.openssl.org/docs/man1.1.1/man1/openssl-pkcs8.html
https://www.rfc-editor.org/rfc/rfc2898#page-12
 
 

Environment

Documentation was created based on OpenSSL 1.1.1n 15 Mar 2022.
IBM i OpenSSL is a product of Portable Utilities for i 5733-SC1.
Information about PKCS#12 and PKCS#8 can be found here:
https://www.openssl.org/docs/man1.0.2/man1/pkcs12.html
https://www.openssl.org/docs/man3.0/man1/openssl-pkcs8.html
Further information and instructions pertaining to this document can be found here:
https://www.ibm.com/docs/en/i/7.3?topic=device-portable-utilities-i
https://www.openssl.org/news/openssl-1.1.1-notes.html

 

Resolving The Problem

1. Extract contents of your PKCS#12 file.  
a. Export Client/Server certificates:
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out cert.pem
b. Export CA certificates:
openssl pkcs12 -in yourP12File.pfx -cacerts -nokeys -out public.pem
c. Export private key:
openssl pkcs12 -in yourP12File.pfx -nocerts -out key.pem
Note: To remove password protection of the private key run: 
openssl rsa -in key.pem -out dkey.pem
2. Repackage PCKS#12 file:
openssl pkcs12 -export -out newpkcs.p12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -certfile public.pem -inkey dkey.pem -in cert.pem

Note: PASE OpenSSL default current private key encryption is PBE-SHA1-3DES.  To adjust this you could include -keypbe AES-256-CBC -certpbe AES-256-CBC options.

-keypbe       <------ Encryption algorithm for private key
-certpbe      <------ Encryption algorithm for certificate files
Additional examples:
PBE-MD2-DES       
PBE-MD5-DES 
PBE-SHA1-RC2-64 
PBE-MD2-RC2-64 
PBE-MD5-RC2-64 
PBE-SHA1-DES 
PBE-SHA1-RC4-128 
PBE-SHA1-RC4-40 
PBE-SHA1-3DES 
PBE-SHA1-2DES 
PBE-SHA1-RC2-128 
PBE-SHA1-RC2-40
AES-256-CBC
hmacWithSHA256
For a list of PBE (password based) encryption algorithms:
openssl enc -list -ciphers
3. To verify we can view contents of the PKCS12 file:
openssl pkcs12 -info -in newpkcs.p12
image-20221027121422-1
image-20221027121543-2
You will see PKCS7 data twice. The first instance is the certificate and the second will be the private key both enshrouded a PBE of choice.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CImAAM","label":"OpenSSL OpenSSH"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Document Information

Modified date:
27 October 2022

UID

ibm16621261

Page Feedback