Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
When we import a PKCS12 cert signed using SHA2 algorithm, The following syslog can be observed: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed. "debug crypto pki transaction" output produces: CRYPTO_PKI: status = 0x760(E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported): Imported PKCS12 file failure
SHA2 algorithms (for example SHA256, SHA384, SHA512) are used for signature of the PKCS12 file. SHA2 signature for the certificates themselves is supported, but the trigger here is the PKCS12 bundle itself being signed with SHA2
Use SHA1 algorithm for signature of the PKCS12 file
To see what MAC algorithm PKCS12 uses do: openssl asn1parse -inform der -in Examples: % openssl asn1parse -inform der -in ipad.example.com.p12 0:d=0 hl=4 l=3438 cons: SEQUENCE 4:d=1 hl=2 l= 1 prim: INTEGER :03 7:d=1 hl=4 l=3384 cons: SEQUENCE 11:d=2 hl=2 l= 9 prim: OBJECT :pkcs7-data 22:d=2 hl=4 l=3369 cons: cont [ 0 ] 26:d=3 hl=4 l=3365 prim: OCTET STRING [HEX DUMP]:30820D21308207A706092A864886F70D010706A0820798308207940201003082078D06092A864886F70D010701301C060A2A864886F70D010C0103300E04084693A1DC3237FF8802020800808207607CAE0D6E291AF74FF88326F97B2860F4 04FD1FF19610FC62E95F9B55AA777EFF07915B86CB0616128F2498A3CE40343D9057B302FE21076F2C6E33B5DB11B2B3156302306092A864886F70D01091531160414D331C257FBB21BA41875F04606CD3769D30B6CF9302F06092A864886F70D01091431221E200069007000610064002E006500780061006D0070006C0065002E0063006F006D 3395:d=1 hl=2 l= 45 cons: SEQUENCE 3397:d=2 hl=2 l= 33 cons: SEQUENCE 3399:d=3 hl=2 l= 9 cons: SEQUENCE 3401:d=4 hl=2 l= 5 prim: OBJECT :sha1 <============ 3408:d=4 hl=2 l= 0 prim: NULL 3410:d=3 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:7AE3CEF9F09F437E2BFEB76082022A2652D36D43 3432:d=2 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:39DB3B205C4249B7 % openssl asn1parse -inform der -in ipad.example.com-sha2.p12 0:d=0 hl=4 l=2457 cons: SEQUENCE 4:d=1 hl=2 l= 1 prim: INTEGER :03 7:d=1 hl=4 l=2383 cons: SEQUENCE 11:d=2 hl=2 l= 9 prim: OBJECT :pkcs7-data 22:d=2 hl=4 l=2368 cons: cont [ 0 ] 26:d=3 hl=4 l=2364 prim: OCTET STRING [HEX DUMP]:30820938308203EF06092A864886F70D010706A08203E0308203DC020100308203D506092A864886F70D010701301C060A2A864886F70D010C0106300E0408975897815CAF294002020800808203A8B8B3270BA67F094D181884844FAB0D4028CB99ED2CC1E6CC52E5C230E00F00124D2717F060DB50F410610BC9FCF842C4AFCF817026105C34263571D40D7110A27E64AF9D10DD016C38B312D19EC3C0E39ECC33A81A9B6FD2D775B3195C9A2A9B8C7E2A74A7691472E03EF4ED7E33E252C 28524D82494F8A3ED205317CBB5B301A288AAB3376E4134F7E759AC8EA1BAC5194A194E61903AB297365BF0AE98DA21F89706106D9AB5AC344883C680184B849308CB753B970577AD567C4649AF8A3BBED74B7E416B83C4A8653F7F56D03237FA61369057A40E692C939CB200B6F089050016FDEDF13B1EEAE3795C7F54EC09D159C7DF7E106E25C6B8242285497BA1C283E6B2226A7B9EF9BFD6A43125302306092A864886F70D01091531160414D331C257FBB21BA41875F04606CD3769D30B6CF9 2394:d=1 hl=2 l= 65 cons: SEQUENCE 2396:d=2 hl=2 l= 49 cons: SEQUENCE 2398:d=3 hl=2 l= 13 cons: SEQUENCE 2400:d=4 hl=2 l= 9 prim: OBJECT :sha256 <============ 2411:d=4 hl=2 l= 0 prim: NULL 2413:d=3 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:CE32094F00C39289E09F97571693B833B10962C317FA4B96658298DE16586CF5 2447:d=2 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:81421A5EECBDF13F 2457:d=2 hl=2 l= 2 prim: INTEGER :0800 openssl uses sha1 by default. To generate the PKCS12 with sha1 macalg: openssl pkcs12 -export -inkey -in -certfile -out .p12 -macalg SHA1