issue/feature request - Version 2.6.0 invalid password during certificate import on other devices

chris2511 / xca

X Certificate and Key management

http://xca.hohnstaedt.de

Other

1.43k stars 197 forks source link

issue/feature request - Version 2.6.0 invalid password during certificate import on other devices #559

Open ryder-hook opened 2 weeks ago

ryder-hook commented 2 weeks ago

Hello,

Thanks for this nice software! I renewed a certificate using version 2.6.0 end exported it as PKCS #12 (both variants). It was a certificate for a network gateway. I wanted to import the certificate there. Unfortunately this didn't work, I always got the error message "invalid password". I then searched the Internet for a solution, where I found the information to use the export with the -legacy parameter when using openssl. I assume that the appliance cannot handle modern algorithms. I then imported the certificate into the old version 2.4.0 of XCA and exported it again. The import into the appliance then worked.

So there is probably no error with XCA (hence the imprecise subject), but perhaps an option for the export could be implemented to avoid such problems in the future.

Wishes Thorsten

GiladHi commented 2 weeks ago

XCA 2.6.0 is based on OpenSSL 3.0, which encrypt the private key using AES256. I think that XCA 2.4.0 used an older version of OpenSSL, so the private key was encrypted using 3DES.

I had a similar issue with Windows Server 2016.

ryder-hook commented 2 weeks ago

@GiladHi , yes, this is exactly what was also my assumption. But Openssl 3.0 already have the -legacy cli parameter. This was the reason why I suggested this adoption.

teward commented 1 week ago

@ryder-hook when you open your XCA database, and then go to File > Options, what option is selected for PKCS12 Encryption Algorithm? Mine offers two versions to choose from for PKCS12 Encryption Algorithm: PBE-SHA1-3DES and AES-256-CBC

ryder-hook commented 1 week ago

@teward , AES-256-CBC is selected in Version 2.6. I also have these two options. In the older version, this parameter was not available.

teward commented 1 week ago

@teward , AES-256-CBC is selected in Version 2.6. I also have these two options. In the older version, this parameter was not available.

What happens if you choose the non-AES-256 option? Do the generated PKCS12 files work then?

ryder-hook commented 1 week ago

@teward, My original problem was that I had to import the certificate onto an appliance. The certificate itself must then be made available on the appliance via USB stick. That's why I can't simply do a new test now. I would have to recreate the certificate and install it on the appliance using a USB stick. Sorry for that.