Having found out what encryption algorithm was used to encrypt my pfx file, using openssl, I now want to upgrade the pfx file to use the most secure algorithms available, rather than 40-bit rc2. How can I do this?
Asked
Active
Viewed 417 times
1 Answers
1
Openssl can also be used to upgrade the encryption, by creating a new pfx file with the same certificate and private key, but seems to require a multi-step process
First read the pfx file and export it as a pem file:
openssl pkcs12 -in badcert.pfx -passin pass:SECRETPASSWORD -nodes -out temp.pem
Second read the pem file and export it as a pfx file with upgraded encryption. I included the -macalg sha256
option here, though I can't prove that it is doing anything:
openssl pkcs12 -export -in temp.pem -out goodcert.pfx -descert -passout pass:SECRETPASSWORD -macalg sha256
Verify that the new pfx file has good (or at least better) encryption:
openssl pkcs12 -info -in goodcert.pfx -noout -passin pass:SECRETPASSWORD
Delete the old files:
rm temp.pem
rm badcert.pfx
Note that although openssl reports password-based encryption with SHA-1, it is actually the PBKDF2 variant of iterated SHA-1, per RFC7292, so this is not a weakness.
Martin Randall
- 149
- 1
- 5