[openssl-users] openssl 1.0.2h pkcs12 export fails @ "digital envelope routines:EVP_PBE_CipherInit:unknown cipher"

PGNet Dev pgnet.dev at gmail.com
Tue Jun 28 17:24:41 UTC 2016

I'm setting up a new, local CA.

The local openssl instance is

	openssl version
		OpenSSL 1.0.2h  3 May 2016

config'd/built with

	no-comp no-zlib no-zlib-dynamic \
	enable-ec_nistp_64_gcc_128 \
	enable-rfc3779 \
	enable-ecdsa \
	no-idea \
	no-mdc2 \
	no-rc2 \
	no-rc5 \
	no-ssl2 \
	no-ssl3 \

pkcs12 export, which worked a (long) while ago, now fails,

	openssl genrsa -des3 -aes256 -out test_CA.key 4096

	openssl req -new -x509 -sha512 -days 365 -set_serial 01 -config 
./openssl.cnf  -subj 
"/C=US/ST=ST/L=CITY/O=example.com/OU=test_CA/emailAddress=ssl at example.com/CN=test_CA" 
	-key test_CA.key \
	-out test_CA.crt

	openssl pkcs12 -export \
	-in    test_CA.crt \
	-inkey test_CA.key \
	-out   test_CA.p12

		140199860266640:error:060740A0:digital envelope 
routines:EVP_PBE_CipherInit:unknown cipher:evp_pbe.c:181:
		140199860266640:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 
algor cipherinit error:p12_decr.c:87:
routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:188:
routines:PKCS12_pack_p7encdata:encrypt error:p12_add.c:213:

Looks like the config above removed a required cipher?  Perhaps too 
stringent ...

What's the fix/workaround to get pkcs12 export working again?

More information about the openssl-users mailing list