Could not read Certificate File

[g021670]

Hello Everyone,

im trying to run the example.php but im getting the error:

Fatal error: Uncaught PKPass\PKPassException: Could not read certificate file. This might be related to using an OpenSSL version that has deprecated some older hashes

After searching im pretty sure that it has something to do with my Openssl version. Im Running an local Apache Server, with openssl 3.1.3. I have already edited my "openssl.cnf" File to the following:

[openssl_init] providers = provider_sect [provider_sect] default = default_sect legacy = legacy_sect [default_sect] activate = 1 [legacy_sect] activate = 1

But im still getting the same error...

Does anyone have an idea?

[g021670]

any idea?

maybe some more details:

im working on a fresh xamp installation with the newest version available (8.2.12). I searched for the openssl.cnf and found, that there are several openssl.cnf files, which i all edited the way provided but still getting same error message.

[tschoffelen]

Are you sure the certificate file itself is valid?

Could you try to run the following command and share the output here?

openssl x509 -in [certfile] -noout -text

[g021670]

Hi @tschoffelen,

thank you for your reply.

i run the command and this is what i got:

openssl x509 -in path -noout -text Enter pass phrase for PKCS12 import pass phrase: Could not read certificate from path F03B0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

for further information: i use the same certificate when running the provided apple signtool on my mac and it works just fine

[g021670]

i just found out that the certificate i use in the command is a is a .p12 certificate. Could this cause the error?

[g021670]

After all i found a solution.

For everyone interested: I found out, that the xamp server did not have a legacy.dll included. After i downloaded that and configured the OPENSSL_MODULES into environment variables, i could successfully use -legacy param to use "https://stackoverflow.com/questions/72598983/curl-openssl-error-error0308010cdigital-envelope-routinesunsupported" tutorial and create a new .p12 certificate.

[Robertbaelde]

I found this answer on Reddit that gave a better solution to this problem, instead of enabling legacy options with openssl you could simply re-generate your .p12 cert using these commands:

openssl pkcs12 -legacy -in key.p12 -nodes -out key_decrypted.tmp

openssl pkcs12 -in key_decrypted.tmp -export -out key_new.p12

source