03-23-2023 07:23 AM
Hello team,
I got this error when I try to install my public certificate on my router:
Mar 23 10:15:11.526: CRYPTO_PKI: status = 0x760(E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported): Imported PKCS12 file failure
sbc#
Mar 23 10:15:11.526: %PKI-3-PKCS12_IMPORT_FAILURE: PKCS #12 import failed for trustpoint: sbc.xxx. Reason: Failed to import pkcs12 context
cisco C8000V >>> Cisco IOS XE Software, Version 17.06.03a
I found this bug CSCva44291 with the same error but I cannot find the correct solution.
03-23-2023 08:18 AM
- It's probably this one instead : https://bst.cisco.com/bugsearch/bug/CSCvz41428
M.
03-23-2023 08:39 AM
Hello @marce1000 thanks
I did the procedure with the openssl and now I got this error:
Mar 23 11:38:28.444: CRYPTO_PKI: status = 0x705(E_INPUT_DATA : invalid encoding format for input data): Imported PKCS12 file failure
03-23-2023 08:49 AM
- You will probably have to discuss this and or escalate to/with Cisco TAC ,
M.
03-23-2023 09:14 AM
Is a lab environment, and for this reason, I don't have access to TAC
03-23-2023 11:40 AM
I used this page https://www.sslshopper.com/ssl-converter.html to convert to pkcs12 without error
03-23-2023 02:20 PM
sbc#
sbc#copy sftp://ubuntu:ubuntu@10.x.x.199/home/ubuntu/ flash:
!
sbc#crypto pki import sbc.example.com pkcs12 flash:cert.pfx password 123456
% Importing pkcs12...Reading file from bootflash:cert.pfx
CRYPTO_PKI: Imported PKCS12 file successfully.
sbc#
Mar 23 14:39:08.276: %CRYPTO_ENGINE-5-KEY_DELETED: A key named sbc.example.com has been removed from key storage
Mar 23 14:39:08.283: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named sbc.example.com has been generated or imported by pki-pkcs12
Mar 23 14:39:08.319: %PKI-6-PKCS12_IMPORT_SUCCESS: PKCS #12 import in to trustpoint sbc.example.com successfully imported.
sbc#
sbc#
04-26-2023 08:21 AM
Hello Guillermo, how did you solve this error? I also created a PKCS file with -macalg SHA1 due to the message digest algorithms not supported issue and am also now stuck on the invalid encoding format for input data issue.
04-26-2023 10:57 PM
I managed to solve the issue adding the -legacy flag to the openssl command, this was my full syntax:
04-27-2023 06:29 AM
Hello @Marcus Jehrlander
As I mentioned, I had a lot of problems with openSSL and its version, for this reason, I used this page(https://www.sslshopper.com/ssl-converter.html ) to create my pkcs file.
And as @Marcus Jehrlander mentioned, I used the same command, but I understand, the problem was the openssl in my Windows computer.
08-10-2023 06:02 AM - edited 08-10-2023 12:46 PM
Create PKCS file using OPENSSL 1.1 , it will not show encoding issue . You must be trying with OPENSSL 3.x where the encrypted data of the PFX file have PRF SHA256 ( which indeed rsa toolkit of IOS-XE will not accept for pkcs12 file unless you are on 17.11.1 ) .
Look at the PKCS12 files generated with openssl 3
openssl pkcs12 -noout -info -in C:\Users\KMLY9829\Desktop\TestOpenssl\sndtdsb.gsk.com.pfx
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256 <<<<<<<
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Look at the PKCS12 files generated with openssl 1.1
openssl pkcs12 -noout -info -in C:\Users\KMLY9829\Desktop\TestOpenssl\sndtdsb1.gsk.com.pfx
Enter Import Password:*
MAC: sha1, Iteration 2048*
MAC length: 20, salt length: 8*
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048* <<<<<<<<<<
Regards
Salman Mahajan
TCE-Cisco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide