doc:appunti:linux:sa:openvpn_openssl_problem
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| doc:appunti:linux:sa:openvpn_openssl_problem [2025/04/15 12:30] – created niccolo | doc:appunti:linux:sa:openvpn_openssl_problem [2025/04/15 12:53] (current) – [OpenVPN problem with obsolete pkcs12 files] niccolo | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== OpenVPN problem with obsolete | + | ====== OpenVPN problem with obsolete |
| If you are migrating a configuration from an old **OpenVPN 2.5.x** to a new **2.6**, you may face a problem with the **PKCS12** file, which was created with a legacy encryption. The error message is as follow: | If you are migrating a configuration from an old **OpenVPN 2.5.x** to a new **2.6**, you may face a problem with the **PKCS12** file, which was created with a legacy encryption. The error message is as follow: | ||
| Line 9: | Line 9: | ||
| </ | </ | ||
| - | Generally the pkcs12 file contains also the Certification Authority certificate, | + | Generally the pkcs12 file contains also the Certification Authority certificate, |
| < | < | ||
| VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: | VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain: | ||
| - | C=IT, ST=ITALY, L=PRATO, O=ITEOS SRL, emailAddress=info@domain.org, | + | C=IT, ST=ITALY, L=PRATO, O=ITEOS SRL, |
| + | emailAddress=info@domain.org, | ||
| </ | </ | ||
| - | ===== Extracting certificates an keys from the old .p12 file ===== | + | ====== Inspecting |
| - | To solve the problem you can repack the .p12 file with a modern encryption. The extraction of the content must be performed on an the old host, **supporting the legacy encryption**. | + | To inspect the PKCS12 certificate and the encryption is uses: |
| + | |||
| + | < | ||
| + | openssl pkcs12 -info -in file.p12 | ||
| + | </ | ||
| + | |||
| + | the command must be run on an host supporting the SSL encryption used to create the file. | ||
| + | |||
| + | A file created with a legacy encryption may be like this: | ||
| + | |||
| + | < | ||
| + | ... | ||
| + | MAC: sha1, Iteration 1 | ||
| + | MAC length: 20, salt length: 8 | ||
| + | PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, | ||
| + | ... | ||
| + | PKCS7 Data | ||
| + | Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, | ||
| + | ... | ||
| + | </ | ||
| + | |||
| + | indeed a newer certificate will be: | ||
| + | |||
| + | < | ||
| + | ... | ||
| + | MAC: sha256, Iteration 2048 | ||
| + | MAC length: 32, salt length: 8 | ||
| + | PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, | ||
| + | ... | ||
| + | PKCS7 Data | ||
| + | Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, | ||
| + | ... | ||
| + | </ | ||
| + | |||
| + | |||
| + | ===== Extracting certificates and keys from the old .p12 file ===== | ||
| + | |||
| + | To solve the problem you can repack the .p12 file with a modern encryption. The extraction of the content must be performed on an the old host, **supporting the legacy encryption**: | ||
| < | < | ||
| Line 26: | Line 64: | ||
| </ | </ | ||
| + | The file extracted are: | ||
| + | |||
| + | * The private key of the client. | ||
| + | * The client certificate. | ||
| + | * The Certification Authority certificate. | ||
| + | |||
| + | ===== Creating the new PKCS12 file ===== | ||
| + | |||
| + | We put both the client certificate and the CA certificate into a single file, so that the full chain is included: | ||
| + | |||
| + | < | ||
| + | cat cert.pem ca.pem > cert-full.pem | ||
| + | </ | ||
| + | |||
| + | Then it is possibile to generate the new PKCS12 file using a new modern encryption, as **AES-256-CBC**: | ||
| + | |||
| + | < | ||
| + | openssl pkcs12 -export -in cert-full.pem -inkey key.pem \ | ||
| + | -out file_new.p12 -keypbe aes-256-cbc -certpbe aes-256-cbc | ||
| + | </ | ||
doc/appunti/linux/sa/openvpn_openssl_problem.1744713044.txt.gz · Last modified: 2025/04/15 12:30 by niccolo