Importing pfx (PKCS12) certificate fails on Fedora but succeeds on Windows 11

Thanks @vgaetera , always lending a hand to help :wink: :clap:

I did manage to workaround the issue. I’ll post here what I had to do so that it might be helpful to others.

Following the instructions here, I was able to extract the certificate and private key from the .pfx file (had to use the -legacy parameter, though)

openssl pkcs12 -legacy -in <file>.pfx -clcerts -nokeys -out certificate.crt
openssl pkcs12 -legacy -in <file>.pfx -nocerts -out encrypted.key
openssl rsa -in encrypted.key -out private.key

Then I used openssl to generate a new PKCS12 file, with the default encryption parameters:

openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.p12

After that, both Firefox and Chromium were able to import the newly generated certificate.p12 file :raised_hands: :sweat_smile:

For the curious ones, the new files were encrypted with

MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

and

PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

So, another point to Linux for raising the bar in terms of security (Windows 11 didn’t bother to handle such insecure files – no surprise here… :unamused: ).

And shame on my certificate issuer for using such poor security standards!

9 Likes