How do I read an outdated OpenSSL PFX file in modern OpenSSL?
Richard C.
—The Problem
Reading cryptographic certificates is a common task when working with security. However, if the certificate you use is outdated, it may use cryptography that’s unsupported by modern SSL. You will then get the error "error:0308010C:digital envelope routines::unsupported" when calling openssl pkcs12.
You’ll encounter the same error if you use a programming language that uses your operating system’s OpenSSL, like calling openssl_pkcs12_read in PHP or cryptography.hazmat.primitives.serialization.pkcs12 in Python.
The Solution
If you read the PFX file in the terminal, you can add -legacy to the read command. For example, if you have a certificate file made in OpenSSL version 1 that you try to open in version 3:
openssl pkcs12 -in mycert.pfx -nodes; # error: # 40176B4E4C750000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () openssl pkcs12 -in mycert.pfx -nodes -legacy; # correctly outputs contents
If you use a programming language that relies on OpenSSL, instead of using the terminal, you’ll need to edit your OpenSSL configuration file.
As a superuser, edit the /etc/ssl/openssl.cnf file. Activate the existing [default_sect], add a [legacy_sect], and add the legacy to the [provider_sect]. The sections should now look like this:
[default_sect] activate = 1 [legacy_sect] activate = 1 [provider_sect] default = default_sect legacy = legacy_sect
Save and exit. Your code will now be able to read legacy OpenSSL certificates.
Create Your Own Example
If you want to create your own legacy PFX file for testing, start the docker.io/bitnami/laravel:8 Docker image and connect to bash inside it with docker exec -it your_container_name bash.
By running openssl version in the Docker container you can see the image uses OpenSSL 1.1.1d 10 Sep 2019.
Then make a PFX file with the following commands:
openssl genrsa -out mycert.key 2048; openssl req -new -x509 -key mycert.key -out mycert.crt -days 365 -subj "/C=US/ST=California/L=San Francisco/O=My Organization/OU=My Department/CN=mydomain.com"; openssl pkcs12 -export -out mycert.pfx -inkey mycert.key -in mycert.crt -password pass:;
Read it:
openssl pkcs12 -in mycert.pfx -nodes; # click enter when asked for a password
If you have the latest version of your operating system on your physical machine, it should have OpenSSL version 3 or later, and you can try to read the file generated in the container to test if -legacy works.
- SentryHow Sentry Can Improve Your Laravel Application
- Syntax.fmListen to the Syntax Podcast
- SentryLaravel Error and Performance Monitoring
- Listen to the Syntax Podcast
![Syntax.fm logo]()
Tasty treats for web developers brought to you by Sentry. Get tips and tricks from Wes Bos and Scott Tolinski.
SEE EPISODES
Considered “not bad” by 4 million developers and more than 100,000 organizations worldwide, Sentry provides code-level observability to many of the world’s best-known companies like Disney, Peloton, Cloudflare, Eventbrite, Slack, Supercell, and Rockstar Games. Each month we process billions of exceptions from the most popular products on the internet.
A peek at your privacy
Here’s a quick look at how Sentry handles your personal information (PII).
×Who we collect PII from
We collect PII about people browsing our website, users of the Sentry service, prospective customers, and people who otherwise interact with us.
What if my PII is included in data sent to Sentry by a Sentry customer (e.g., someone using Sentry to monitor their app)? In this case you have to contact the Sentry customer (e.g., the maker of the app). We do not control the data that is sent to us through the Sentry service for the purposes of application monitoring.
Am I included?PII we may collect about you
- PII provided by you and related to your
- Account, profile, and login
- Requests and inquiries
- Purchases
- PII collected from your device and usage
- PII collected from third parties (e.g., social media)
How we use your PII
- To operate our site and service
- To protect and improve our site and service
- To provide customer care and support
- To communicate with you
- For other purposes (that we inform you of at collection)
Third parties who receive your PII
We may disclose your PII to the following type of recipients:
- Subsidiaries and other affiliates
- Service providers
- Partners (go-to-market, analytics)
- Third-party platforms (when you connect them to our service)
- Governmental authorities (where necessary)
- An actual or potential buyer
We use cookies (but not for advertising)
- We do not use advertising or targeting cookies
- We use necessary cookies to run and improve our site and service
- You can disable cookies but this can impact your use or access to certain parts of our site and service
Know your rights
You may have the following rights related to your PII:
- Access, correct, and update
- Object to or restrict processing
- Port over
- Opt-out of marketing
- Be forgotten by Sentry
- Withdraw your consent
- Complain about us
If you have any questions or concerns about your privacy at Sentry, please email us at compliance@sentry.io.
If you are a California resident, see our Supplemental notice.