How to recreate a PKCS#12 and/or to change PKCS#12 password?
2 years ago
Originally Published: 2012-05-29
Article Number
000047490
Applies To
RSA Key Manager
RSA Data Protection Manager
RSA Key Manager Appliance
RSA Data Protection Manager Appliance
Issue
How to recreate a PKCS#12 and/or to change PKCS#12 password?
How to recreate a PKCS#12 and/or to change PKCS#12 password?
PKCS#12 is not FIPS compliant (though all certificates included in the PKCS#12 are FIPS compliant), how to recreate FIPS compliant PKCS#12?
PFX file exported from Internet Explorer is not FIPS compliant, how to recreate the PFX to make it FIPS compliant?
Resolution
The following steps can be taken on any box where OpenSSL is installed (RKM or DPM Appliance can be used where OpenSSL is preinstalled) to recreate a PKCS#12:

1. Copy the existing non-conforming PKCS#12, say existingpkcs12.p12, to a temporary folder (say, /tmp folder on RKM or DPM Appliance)

2. Go to command prompt (or login as root on shell prompt on the RKM or DPM Appliance) and change working directory to the temporary folder (e.g., /tmp):
    cd /tmp

3. Extract client certificate from the PKCS#12 file "existingpkcs12.p12":
    openssl pkcs12 -in existingpkcs12.p12 -out existingpkcs12_clcert.pem -nokeys -clcerts

Note:  When prompted, provide the current password protecting the PKCS#12.  If the current PKCS#12 was not protected with any password, simply hit enter at the password prompt.

4. Extract client certificate's private key from the PKCS#12 file "existingpkcs12.p12":
    openssl pkcs12 -in existingpkcs12.p12 -out existingpkcs12_key.pem -nocerts -des3

Notes:
- On the first password prompt, provide the current password protecting the PKCS#12.  If the current PKCS#12 was not protected with any password, simply hit enter at the first password prompt.
- On the second password prompt (and a third one for verification), provide a new password to encrypt the private key file.

5. (Optional) Extract CA certificates (if exist) from the PKCS#12 file "existingpkcs12.p12":
    openssl pkcs12 -in existingpkcs12.p12 -out existingpkcs12_cacerts.pem -nokeys -cacerts

Note:  When prompted, provide the current password protecting the PKCS#12.  If the current PKCS#12 was not protected with any password, simply hit enter at the password prompt.

6. Re-create the PKCS#12, say as a new file "newpkcs12.p12", which is FIPS compliant and usable with RKM Client.  Note that latest versions of RKM/DPM Clients do not require CA certificate to be included in the PKCS#12, however some older Clients (or PS version of SOM/DTS Clients) may require to add the root CA of server certificate to the PKCS#12.

a) If CA cert(s) does not exist or is not required to be added to the new PKCS#12, use the following command (all on one line):
    openssl pkcs12 -export -in existingpkcs12_clcert.pem -inkey existingpkcs12_key.pem -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -out newpkcs12.p12

b) If CA certificate(s) exists AND it is required to be included to the new PKCS#12 (then step #5 above would have been followed), use the following command (all on one line):
    openssl pkcs12 -export -in existingpkcs12_clcert.pem -inkey existingpkcs12_key.pem -certfile existingpkcs12_cacerts.pem -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -out newpkcs12.p12

Notes:
- On the first password prompt, provide the private key password set in step #4 above.
- On the second password prompt (and a third one for verification), provide a new password to encrypt the new PKCS#12.  Make sure that the new password is at least 8 characters long.

7. Copy the new PKCS#12 "newpkcs12.p12" to the RKM Client host machine for use with the Client application.  Make sure that RKM Client configuration is updated to use the correct new password for the new PKCS#12.

Related Articles

Trending Articles

Don't see what you're looking for?