Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2665
Views
3
Helpful
10
Replies

Error exporting pkcs12 certificate in 8000v

Guillermo_PY
Level 1
Level 1

‎03-23-2023 07:23 AM

Hello team,

I got this error when I try to install my public certificate on my router:

Mar 23 10:15:11.526: CRYPTO_PKI: status = 0x760(E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported): Imported PKCS12 file failure
sbc#
Mar 23 10:15:11.526: %PKI-3-PKCS12_IMPORT_FAILURE: PKCS #12 import failed for trustpoint: sbc.xxx. Reason: Failed to import pkcs12 context

cisco C8000V >>> Cisco IOS XE Software, Version 17.06.03a 

I found this bug CSCva44291  with the same error but I cannot find the correct solution.

 

 

Labels:
0 Helpful
10 Replies 10

marce1000
VIP
VIP

‎03-23-2023 08:18 AM

 

         - It's probably this one instead : https://bst.cisco.com/bugsearch/bug/CSCvz41428

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Guillermo_PY
Level 1
Level 1
In response to marce1000

‎03-23-2023 08:39 AM

Hello @marce1000 thanks

I did the procedure with the openssl and now I got this error:

Mar 23 11:38:28.444: CRYPTO_PKI: status = 0x705(E_INPUT_DATA : invalid encoding format for input data): Imported PKCS12 file failure

0 Helpful

marce1000
VIP
VIP
In response to Guillermo_PY

‎03-23-2023 08:49 AM

 

   - You will probably have to discuss this and or escalate  to/with Cisco TAC , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Guillermo_PY
Level 1
Level 1
In response to marce1000

‎03-23-2023 09:14 AM

Is a lab environment, and for this reason, I don't have access to TAC

0 Helpful

Guillermo_PY
Level 1
Level 1

‎03-23-2023 11:40 AM

I used this page https://www.sslshopper.com/ssl-converter.html to convert to pkcs12 without error

0 Helpful

Guillermo_PY
Level 1
Level 1

‎03-23-2023 02:20 PM

sbc#
sbc#copy sftp://ubuntu:ubuntu@10.x.x.199/home/ubuntu/ flash:
!
sbc#crypto pki import sbc.example.com pkcs12 flash:cert.pfx password 123456
% Importing pkcs12...Reading file from bootflash:cert.pfx
CRYPTO_PKI: Imported PKCS12 file successfully.
sbc#
Mar 23 14:39:08.276: %CRYPTO_ENGINE-5-KEY_DELETED: A key named sbc.example.com has been removed from key storage
Mar 23 14:39:08.283: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named sbc.example.com has been generated or imported by pki-pkcs12
Mar 23 14:39:08.319: %PKI-6-PKCS12_IMPORT_SUCCESS: PKCS #12 import in to trustpoint sbc.example.com successfully imported.
sbc#
sbc#

0 Helpful

Marcus Jehrlander
Level 1
Level 1
In response to Guillermo_PY

‎04-26-2023 08:21 AM

Hello Guillermo, how did you solve this error? I also created a PKCS file with -macalg SHA1 due to the message digest algorithms not supported issue and am also now stuck on the invalid encoding format for input data issue.

0 Helpful

Marcus Jehrlander
Level 1
Level 1
In response to Marcus Jehrlander

‎04-26-2023 10:57 PM

I managed to solve the issue adding the -legacy flag to the openssl command, this was my full syntax:

openssl pkcs12 -export -out testcert.pfx -inkey privatekey.key -in cert.crt -certfile ca.crt -macalg sha1 -legacy
0 Helpful

Guillermo_PY
Level 1
Level 1
In response to Marcus Jehrlander

‎04-27-2023 06:29 AM

Hello @Marcus Jehrlander 

 

As I mentioned, I had a lot of problems with openSSL and its version, for this reason, I used this page(https://www.sslshopper.com/ssl-converter.html ) to create my pkcs file.

And as @Marcus Jehrlander mentioned, I used the same command, but I understand, the problem was the openssl in my Windows computer.

Salman Mahajan
Cisco Employee
Cisco Employee
In response to Marcus Jehrlander

‎08-10-2023 06:02 AM - edited ‎08-10-2023 12:46 PM

Create PKCS file using OPENSSL 1.1 , it will not show encoding issue . You must be trying with OPENSSL 3.x where the encrypted data of the PFX file have PRF SHA256 ( which indeed rsa toolkit of IOS-XE will not accept for pkcs12 file unless you are on 17.11.1 ) . 

Look at the PKCS12 files generated with openssl 3

openssl pkcs12 -noout -info -in C:\Users\KMLY9829\Desktop\TestOpenssl\sndtdsb.gsk.com.pfx
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256 <<<<<<<
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256 

Look at the PKCS12 files generated with openssl 1.1

openssl pkcs12 -noout -info -in C:\Users\KMLY9829\Desktop\TestOpenssl\sndtdsb1.gsk.com.pfx
Enter Import Password:*
MAC: sha1, Iteration 2048*
MAC length: 20, salt length: 8*
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048* <<<<<<<<<<

 

Regards
Salman Mahajan 
TCE-Cisco 



Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card