Differences

This shows you the differences between two versions of the page.

--- doc:appunti:linux:sa:openvpn_openssl_problem [2025/04/15 12:42] – [OpenVPN problem with obsolete pkcs12 files] niccolo
+++ doc:appunti:linux:sa:openvpn_openssl_problem [2025/04/15 12:53] (current) – [OpenVPN problem with obsolete pkcs12 files] niccolo
@@ Line 1: / Line 1: @@
-====== OpenVPN problem with obsolete pkcs12 files ======
+====== OpenVPN problem with obsolete PKCS12 file ======
 If you are migrating a configuration from an old **OpenVPN 2.5.x** to a new **2.6**, you may face a problem with the **PKCS12** file, which was created with a legacy encryption. The error message is as follow:
@@ Line 16: / Line 16: @@
    emailAddress=info@domain.org, CN=CA_ORGANIZATION_NAME, serial=0
 </code>
+====== Inspecting the PKCS12 file ======
+To inspect the PKCS12 certificate and the encryption is uses:
+<code>
+openssl pkcs12 -info -in file.p12
+</code>
+the command must be run on an host supporting the SSL encryption used to create the file.
+A file created with a legacy encryption may be like this:
+<code>
+...
+MAC: sha1, Iteration 1
+MAC length: 20, salt length: 8
+PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
+...
+PKCS7 Data
+Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
+...
+</code>
+indeed a newer certificate will be:
+<code>
+...
+MAC: sha256, Iteration 2048
+MAC length: 32, salt length: 8
+PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
+...
+PKCS7 Data
+Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
+...
+</code>
 ===== Extracting certificates and keys from the old .p12 file =====