We are in the process of our release and are currently blocked because of one issue.
so your input on this will be very helpful. we recently moved to 3.0.8 from 1.0.2
one of our counterparts in our organization where we call them to provide some certs (pub/priv/passphrase) information which we store and later use for connecting them (https) when we are on the customer site. This is where we are facing issues now.
They are using the below Java code to generate the certificate pair and pass it to our application.
snippet:
// generate PKCS10 certificate request
X500Principal subjectName = new X500Principal(cn);
PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(subjectName, keyPair.getPublic());
JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder(KEY_SHA_256_WITH_RSA);
ContentSigner signer = csBuilder.build(keyPair.getPrivate());
PKCS10CertificationRequest csr = p10Builder.build(signer);
// get the csr
return Base64.toBase64String(csr.getEncoded());
so the way certificate generation using pkcs10 the issue? Will it internally use the pkcs12kdf algorithm?
when we checked the certs from the openssl command it clearly throws an error as PKCS12KDF is unsupported.
[root@783fb53751be ESE_client]# OPENSSL_CONF=/tmp/openssl.cnf openssl s_client -connect 10.105.130.237:443 --cert test.crt --key pkey.pem
Enter pass phrase for pkey.pem:
Could not read client certificate private key from pkey.pem
40474654647F0000:error:1608010C:STORE routines:(unknown function):unsupported:crypto/store/store_result.c:151:
40474654647F0000:error:0308010C:digital envelope routines:(unknown function):unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (PKCS12KDF : 0), Properties (<null>)
40474654647F0000:error:1180006B:PKCS12 routines:(unknown function):key gen error:crypto/pkcs12/p12_crpt.c:55:
could you please provide your thoughts on how to resolve this issue?