If you are migrating a configuration from an old OpenVPN 2.5.x to a new 2.6, you may face a problem with the PKCS12 file, which was created with a legacy encryption. The error message is as follow:

OpenSSL: error:11800071:PKCS12 routines::mac verify failure
Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
Error: private key password verification failed

Generally the pkcs12 file contains also the Certification Authority certificate, so that ssl can check the integrity of all the chain. If the CA cert is missing, you can encounter another error:

VERIFY ERROR: depth=1, error=self-signed certificate in certificate chain:
   C=IT, ST=ITALY, L=PRATO, O=ITEOS SRL,
   emailAddress=info@domain.org, CN=CA_ORGANIZATION_NAME, serial=0

To solve the problem you can repack the .p12 file with a modern encryption. The extraction of the content must be performed on an the old host, supporting the legacy encryption.

openssl pkcs12 -in file.p12 -nodes -nocerts -out private_key.pem
openssl pkcs12 -in file.p12 -clcerts -nokeys -out certificate.pem
openssl pkcs12 -in file.p12 -cacerts -nokeys -out ca.pem

The file extracted are:

• The private key of the client.
• The client certificate.
• The Certification Authority certificate.

We put both the client certificate and the CA certificate into a single file, so that the full chain is included:

cat cert.pem ca.pem > cert-full.pem

Then it is possibile to generate the new PKCS12 file using a new modern encryption, as AES-256-CBC:

openssl pkcs12 -export -in cert-full.pem -inkey key.pem \
    -out file_new.p12 -keypbe aes-256-cbc -certpbe aes-256-cbc