0

Having found out what encryption algorithm was used to encrypt my pfx file, using openssl, I now want to upgrade the pfx file to use the most secure algorithms available, rather than 40-bit rc2. How can I do this?

Martin Randall
  • 149
  • 1
  • 5

1 Answers1

1

Openssl can also be used to upgrade the encryption, by creating a new pfx file with the same certificate and private key, but seems to require a multi-step process

First read the pfx file and export it as a pem file:

openssl pkcs12 -in badcert.pfx -passin pass:SECRETPASSWORD -nodes -out temp.pem

Second read the pem file and export it as a pfx file with upgraded encryption. I included the -macalg sha256 option here, though I can't prove that it is doing anything:

openssl pkcs12 -export -in temp.pem -out goodcert.pfx -descert -passout pass:SECRETPASSWORD -macalg sha256

Verify that the new pfx file has good (or at least better) encryption:

openssl pkcs12 -info -in goodcert.pfx -noout -passin pass:SECRETPASSWORD 

Delete the old files:

rm temp.pem
rm badcert.pfx

Note that although openssl reports password-based encryption with SHA-1, it is actually the PBKDF2 variant of iterated SHA-1, per RFC7292, so this is not a weakness.

Martin Randall
  • 149
  • 1
  • 5