The openssl pkcs12 command by default encrypts the certificate using 40-bit RC2. This is not allowed in FIPS mode. See https://community.rsa.com/docs/DOC-51951
Resolution is to add -descert option to the command-line to encrypt using triple-DES instead. This is confirmed to work in F29.
I was able to export a PKCS12 file with OpenSSL using PBES2 (AES-128-CBC with HMAC-SHA256). NSS' pk12util was able to import the file, too.
$ openssl pkcs12 -info -export -in keycert.pem -out test.p12 -passout pass:Secret123 -certpbe aes-128-cbc -keypbe aes-128-cbc $ openssl pkcs12 -info -in test.p12 -passin pass:Secret123 -noout MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: PBES2, PBKDF2, AES-128-CBC, Iteration 2048, PRF hmacWithSHA256 Certificate bag PKCS7 Data Shrouded Keybag: PBES2, PBKDF2, AES-128-CBC, Iteration 2048, PRF hmacWithSHA256
https://github.com/freeipa/freeipa/pull/3145
Metadata Update from @rcritten: - Issue assigned to rcritten
master:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.