rigacci.org

User Tools

Site Tools

Trace: OpenVPN problem with obsolete PKCS12 file
doc:appunti:linux:sa:openvpn_openssl_problem

Table of Contents

OpenVPN problem with obsolete PKCS12 file

If you are migrating a configuration from an old OpenVPN 2.5.x to a new 2.6, you may face a problem with the PKCS12 file, which was created with a legacy encryption. The error message is as follow: 

OpenSSL: error:11800071:PKCS12 routines::mac verify failure
Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
Error: private key password verification failed

Generally the pkcs12 file contains also the Certification Authority certificate, so that ssl can check the integrity of the entire chain. If the CA cert is missing, you can encounter another error: 

VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain:
   C=IT, ST=ITALY, L=PRATO, O=ITEOS SRL,
   emailAddress=info@domain.org, CN=CA_ORGANIZATION_NAME, serial=0

Inspecting the PKCS12 file

To inspect the PKCS12 certificate and the encryption is uses: 

openssl pkcs12 -info -in file.p12

the command must be run on an host supporting the SSL encryption used to create the file.

A file created with a legacy encryption may be like this: 

...
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
...
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
...

indeed a newer certificate will be: 

...
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
...
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
...

Extracting certificates and keys from the old .p12 file

To solve the problem you can repack the .p12 file with a modern encryption. The extraction of the content must be performed on an the old host, supporting the legacy encryption: 

openssl pkcs12 -in file.p12 -nodes -nocerts -out private_key.pem
openssl pkcs12 -in file.p12 -clcerts -nokeys -out certificate.pem
openssl pkcs12 -in file.p12 -cacerts -nokeys -out ca.pem

The file extracted are:

  • The private key of the client.
  • The client certificate.
  • The Certification Authority certificate.

Creating the new PKCS12 file

We put both the client certificate and the CA certificate into a single file, so that the full chain is included: 

cat cert.pem ca.pem > cert-full.pem

Then it is possibile to generate the new PKCS12 file using a new modern encryption, as AES-256-CBC: 

openssl pkcs12 -export -in cert-full.pem -inkey key.pem \
    -out file_new.p12 -keypbe aes-256-cbc -certpbe aes-256-cbc
doc/appunti/linux/sa/openvpn_openssl_problem.txt · Last modified: 2025/04/15 12:53 by niccolo