pkcs12 cert and mac algorithms

Frank Corrao frank.corrao at
Thu Mar 9 22:15:08 UTC 2023

I’m trying to create a pkcs12 bundle using openssl 1.1.1 that will contain a client cert, intermediate cert and private key and be usable on android 13.  When I try to import the pkcs12 bundle, android throws and error "ASN.1 encoding routines:OPENSSL_internal:WRONG_TAG” and doesn't prompt for the export password, implying the issue is with the unencrypted data.  openssl asn1parse is able to read the file just fine and the bundle is useable on other platforms such as iOS and osx, but not android 13.  I’ve tried creating the pkcs12 using many variations of certpbe, keypbe and macalg, hoping to find something that would be accepted but all attempts result in the WRONG_TAG error.  Are there any other tags in the unencrypted portion of the bundle that android could be objecting to, or am I on the right track with the pbe and mac algorithms?


More information about the openssl-users mailing list