search

smallstep / cli

🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
https://smallstep.com/cli
Apache License 2.0
3.56k stars 248 forks source link

[Bug]: certificate p12 = The format of the file is invalid. #1081

Closed ghost closed 6 months ago

ghost commented 6 months ago

Steps to Reproduce

I own an HP LaserJet MFP M281 printer and I'm trying to install my own certificate.

I create a p12 PKCS#12 bundle file with:

step certificate p12 printer.pfx printer.crt printer.key --password-file=password.txt

and with the --legacy option as well:

step certificate p12 printer.pfx printer.crt printer.key --legacy --password-file=password.txt

I take the resulting printer.pfx file and I upload it to the HP printer, under Networking -> Certificates -> Printer Certificate -> Configure -> Import a Certificate and Private Key

But the HP printer reports the following:

The format of the file is invalid.

(it is not clear at this point if the invalid file is the bundle .pfx file or the certificate/key pair)

Your Environment

Expected Behavior

I would expect the HP printer to accept the certificate bundle.

Actual Behavior

Error: The format of the file is invalid.

Additional Context

(it is not clear at this point if the invalid file is the bundle .pfx file or the certificate/key pair)

this happens with firmware 20230822.

With the 2021 firmware, the file was accepted without error but was never installed/used, the printer would still use its own self-signed certificate. Sometimes it would install fine and be used for about a day, but then overnight it would revert back to the self-signed certificate.

Thank you.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

hslatman commented 6 months ago

Hey @LauraTaylorUK,

I found this SE thread with a similar error message, but using OpenSSL instead: https://serverfault.com/questions/1121312/error-message-the-format-of-the-file-is-invalid-when-attempting-to-import-cert. It may be worth a try to remove the intermediate certificate from your printer.crt, and then retry the original command (or maybe the --legacy one). Simplest option to make printer.crt contain just the leaf is to remove all but the first ----- BEGIN CERTIFICATE ----- / ----- END CERTIFICATE ----- parts.

You'll likely need to install the intermediate cert in the clients connecting to your printer too to get a successful TLS connection, because the printer won't have it available to serve it. You could also opt for manually signing a cert for the printer using the root key, so that the intermediate's not required to get a full chain.

If you indeed have to install the intermediate on your client(s), you could file a bug with HP, because servers are responsible for sending the leaf + intermediates.

ghost commented 6 months ago

Thank you for the suggestio, I've tried the above trick, I removed the intermediate certificate but that did not help, same error :(

I also tried with and without --legacy.

hslatman commented 6 months ago

I also found these blog posts: part1, part2. Can you try it with a different firmware version? The blog posts indicate 20230321 might work? if it does, it might mean they broke the firmware again with the newer one you tried last?

ghost commented 6 months ago

I've found the same posts, which is why I upgraded to the latest firmware, mine now is 20230822.

I think this looks like an HP bug and not related to step-cli, so I'm closing this issue.

Thank you for your help.