Converting an Incompatible PKCS#12 Format File to a Compatible PKCS#12

This article discusses how to convert an existing incompatible PKCS#12 format-encrypted private key/public certificate file to a compatible PKCS#12 format file. (To generate a PKCS#12 private key and public certificate file that is suitable for use with HTTPS, FTPS, and the administrative port for Secure FTP Server-FIPS, refer to Generating a PKCS#12 Private Key and Public Certificate.)

General Information

• When operating in a FIPS-approved mode, PKI key/certificates must be between 1024- bits and 4096-bits, inclusive.

• The supported cipher combinations allowed for SSL negotiation are limited to:

• SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 256 bit AES encryption, and SHA1 HMAC

• SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 168 bit 3DES encryption, and SHA1 HMAC

• SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 128 bit AES encryption, and SHA1 HMAC

Each of the above combinations uses RSA key exchange; therefore, RSA based key/certificates must be used.

• In FIPS Mode, the PKCS#12 format must use compatible encryption and hashing algorithms when encrypting the file. The necessary strong encryption will use 3DES and SHA1 encryption.

• PKCS#12 files often end with the prefix "p12" or "pfx." Note that "PFX" is an outdated format that is often confused with PKCS#12.

Procedure

These instructions assume you have downloaded and installed the Windows binary distribution of OpenSSL. Refer to Using OpenSSL for the general instructions

The private key you want to convert must already be an RSA private key and be between 1024 and 4096 bits in length, inclusive. It is only possible to convert the storage format for the private key. Changing the type of key and its length is not possible and requires generation of a new private key.

1. Extract the original private key and public certificate from the incompatible PKCS#12 format file into a traditional encrypted PEM format

C:\Openssl\bin\openssl.exe pkcs12 -in <PKCS#12 Filename> -out <Encrypted PEM Filename>

Where:

• <PKCS#12 Filename> is the input filename of the incompatible PKCS#12 file.

• <Encrypted PEM Filename> is the output filename in encrypted PEM format that will contain both the private key and the public certificate.

For example:

>C:\Openssl\bin\openssl.exe pkcs12 -in my_pkcs12.pfx -out my_encrypted_pem.pem

2. Generate a compatible PKCS#12 file

>C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in <Encrypted PEM Filename> -out <PKCS#12 Filename> -name "<Display Name>"

Where:

• <Encrypted PEM Filename> the encrypted PEM format file generated above.

• <PKCS#12 Filename> is the output filename of the pkcs#12 format file

• <Display Name> is the desired name that will sometimes be displayed in user interfaces.

For example:

>C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in my_encrypted_pem.pem -out my_new_pkcs12.pfx -name "my-name"

3. (Optional) Delete unneeded files. At this point, you can delete the temporary unencrypted PEM file.

The resulting PKCS#12 format file may now be used within Secure FTP Server - FIPS.