Exported pkcs#12 password

jrey

Background:
using DNS update method which is working fine.

Under system version 22.05, a couple of months ago, certificate was obtained and exported fine (then importing on an older internal windows servers) Everything worked fine.

since then the netgate 2100 was upgraded to 23.01 and the latest associated acme package.

Last night was first renewal time under 23.01 and the certificate was automatically updated. No errors. Certificate looks fine on the netgate.

so export cert. and bring the .p12 file over to the windows machine to import, during import step "invalid password"
I didn't specifically set one.

delete the associated "R3" certs on the windows machine. try import. Again "invalid password"

go back to .p12 file copy of the cert from 2 months ago, imports with no problem. and creates the "R3" with no issues, but of course it expires soon.

Curious what else might I look at?

I found an article about a similar issue and then viewing the "password" using WIN-ACME (which I do not run)
https://www.alitajran.com/export-lets-encrypt-certificate-in-windows-server/

is there a method similar I could try to view this on the netgate?

Thanks

Resolved:
simply used openssl on another box to generate the .p12 file from the .crt and .key files exported from the acme netgate. the openssl generated .p12 file has no problem loading on the windows box (with or without providing a password on the key).
the .p12 exported directly from the netgate will not load, tried all the different encryption selections, both with and without password.

sgw

Seems I also hit this issue.
Could you specifiy which CA-crt you use for building that p12?

I assumed it was "lets-encrypt-r3.pem" or does it have to be the whole chain up to the root somehow?

So you ran something like:

openssl pkcs12 -export -certfile  lets-encrypt-r3.pem  -in my.crt  -inkey my.key  -out user.p12

and entered NO password when it asks "Enter Export Password:" ?

I think I tried this also and failed, will have to recheck.

Currently still on 23.01 at this site.

jrey

@sgw

so I ran something like this (on a couple of different versions of openssl, but all on Mac systems)

openssl pkcs12 -password pass:whateveryouwant -export -in thepfsenseexported.crt -inkey thepfsenseexported.key -name "some-friendly-name" -out thenew.p12

What I noticed in all cases was that the .p12 exported from the netgate was significantly different in size as compared to the one created directly with openssl.(the openssl created cert was the same size regardless of openssl version used)

Also on the dialog for exporting, there is a option to select different encryption levels tried them all none worked) I thought that since the destination, in my case was an older windows system, the "low" option should do the trick. Nope

Screen Shot 2023-05-30 at 10.22.58 AM.png

once I had the openssl created cert it worked fine on the windows box.

I've since upgraded the netgate from 23.01 to 23.05 and haven't had the "opportunity" (need) to try a direct export again to see if anything changed. (the current certs are still about 40 days out)

Hope that helps
JR

sgw

@jrey thanks for the quick reply.
In my case exporting with "Low" and no password worked (for a Windows Server 2016 Exchange).