.pfx wrong password error in Acrobat reader

[itsKV]

The .pfx format of document signing self-signed certificate generated in XCA gives invalid password error while importing it into Acrobat reader. Tried every combination of policies. Also tried generating certificate pfx directly into Acrobat then importing it into XCA and at again exporting it into .pfx file. This pfx also gives wrong password error. XCA version is 2.7.0 (windows portable) and Acrobat version is 2024.003.20112

It seems there are some past issues of pfx password error which were solved using -legacy switch. Is this the related issue? Any change in GUI parameter will help resolving this password error in Acrobat? or this error is 'compiled' into the XCA build?

[chris2511]

In the Options dialog different PFX-export Algorithms can be selected. Did you try that? I quick search suggests that Adobe at least in Version 2023 still uses RC2-40.

[itsKV]

Tried all "PKCS12 encryption algorithm" options. No use.

I ran openssl pkcs12 -info -in file.pfx command found differences in result as follows...

--- result for Acrobat generated pfx ---

MAC: sha1, Iteration 1024 MAC length: 20, salt length: 20 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1024 Error outputting keys and certificates 5C4E0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

---- result for PBE-SHA1-RC2-40 -----

MAC: sha1, Iteration 1 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Error outputting keys and certificates 74360000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

---- result for PBE-SHA1-3DES -----

MAC: sha1, Iteration 1 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 Certificate bag Bag Attributes localKeyID: XX XX F6 XX 1C XX XX 9F 1D XX CD XX 0E XX D1 XX XX XX XX XX friendlyName: xxxxxxxxxxx subject=C=XX, ST=XX, L=XX, O=XX, OU=XXX, CN=XXXXXXX, emailAddress=X@XX.XX issuer=C=XX, ST=XX, L=XX, O=XX, OU=XXX, CN=XXXXXXX, emailAddress=X@XX.XX

[itsKV]

The last 'secured' option pfx also gives error. I don't have it's -info result right now.

[chris2511]

OpenSSL already abandoned the archaic algorythms. You need to add the "-legacy" option. There are 3 differences:

• The MAC Iter is set intentionally to 1 by XCA to satisfy other ancient beasts.
• The salt length -> I don't think this is an issue.
• The PKCS#7 Encryption iteration of 2048 is most propably the one Adobe can't handle

[itsKV]

Ok. As of now, I have managed to generate a .pfx file which can be imported into Acrobat Reader's cert store by issuing some specific commands to openssl cli. I am pretty amazed to know that the OG developer of PDF standard is using such old-age and possibly insecure signature wrapper. On the other hand, the aftermarket pdf reader by Foxit software can easily import any pfx file which is packed with modern and more secure encryption wrapper. Let's hope Adobe will look into this matter and update their pfx requirements.

[itsKV]

Following is the command I used to generate pfx file suitable for Acrobat reader.

openssl pkcs12 -export -out final.pfx -inkey key.key -in crt.crt -iter 1024 -legacy -macsaltlen 20

NOTE - You need to have legacy provider enabled in openssl to get above command worked.

[chris2511]

I will not fix this. Adobe needs to fix it. Thanks for the solution. It may help others.