Convert legacy .p12 .pfx files to support OpenSSL 3

With OpenSSL 3, certain encryption algorithms have been deprecated or removed to prioritize stronger security measures and streamline the library’s codebase.

OpenSSL::PKCS12::PKCS12Error (PKCS12_parse: unsupported (Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()))

This error message indicates that your .p12 file uses a legacy algorithm not supported by OpenSSL 3.0. Follow these steps to convert your certificate to the new format compatible with the latest OpenSSL version.

1. Creating a Temporary Legacy Certificate Copy:

Replace CERTIFICATE_FILE_NAME with the actual name of your PKCS12 certificate file.

cp CERTIFICATE_FILE_NAME.p12 temp_certificate.p12

2. Conversion to PEM Format:

Convert the temp_certificate.p12 file from PKCS12 format to a temp_certificate.pem file in PEM format without encrypting the private key in the output file. Replace CERTIFICATE_PASSWORD with the actual password of the certificate.

openssl pkcs12 -legacy -in temp_certificate.p12 -out temp_certificate.pem -nodes -passin pass:CERTIFICATE_PASSWORD

3. Extracting the Private Key:

Extract the private key from the temp_certificate.p12 file in PKCS12 format and store it in the temp_certificate.key file. The private key in the output file will be encrypted.

openssl pkcs12 -legacy -in temp_certificate.p12 -nocerts -out temp_certificate.key -passin pass:CERTIFICATE_PASSWORD -passout pass:'CERTIFICATE_PASSWORD'

4. Creating a New Certificate:

Generate a new new_certificate.p12 file in PKCS12 format based on the private key from the temp_certificate.key file and the certificate from the temp_certificate.pem file.

openssl pkcs12 -export -out new_certificate.p12 -inkey temp_certificate.key -in temp_certificate.pem -passin pass:CERTIFICATE_PASSWORD -passout pass:CERTIFICATE_PASSWORD

5. Deleting Temporary Files:

rm -rf temp_certificate.p12 temp_certificate.pem temp_certificate.key

Done! Your certificate is now ready and named new_certificate.p12. You can utilize it for document signing.