Skip to content

Commit

Permalink
Update errors v solutions.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@dev-krestfield
dev-krestfield committed May 28, 2024
1 parent a043242 commit 8298f97
Showing 1 changed file with 35 additions and 1 deletion.
36 changes: 35 additions & 1 deletion certdog/errors v solutions.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -390,7 +390,15 @@ When importing a PKCS12 file generated by certdog into a legacy version of Windo

Certdog uses strong encryption to protect the PKCS#12 files. Older versions of windows use a legacy based encryption mechanism and have not been updated to support more modern methods.

The PKCS#12 file can however be converted to use the older mechanisms using a tool such as openssl.
There are a few options available to overcome this issue:

1. Use openssl to convert the PKCS#12 file to use legacy algorithms
2. Import the PKCS#12 file into a newer version of windows (e.g. Windows Server 2022 or Windows 11), marking it as exportable. Then export, ensuring you choose ``TripleDES-SHA1`` as the *Encryption* option.
3. Update the start script to revert certdog to use legacy algorithms for PKCS#12 files



<u>To use OpenSSL</u>

The following example is for an initial PKCS12 file (generated by certdog) called **strong.p12**, protected with a password of **password**. This outputs a weakly protected PKCS#12 version called **legacy.p12** under a password of **password**. Update the values as required:

Expand All @@ -401,3 +409,29 @@ openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inke
```

Delete the key.pem file after the conversion as this file contains the private key in clear text.



<u>To Revert to Legacy Algorithms</u>

Locate and open for editing the following file: ``start-tomcat.ps1``

This will be in the ``\bin`` directory (e.g. ``C:\certdog\bin`` or ``C:\certdogfree\bin``)

Locate the following line within this file:

```
$env:JAVA_OPTS = "-Djavax.net.ssl.trustStore=`"$jksLocation`" -Djavax.net.ssl.trustStorePassword=temp1234! -add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED"
```

And update it to include ``-Dkeystore.pkcs12.legacy``

So the complete line is as follows:

```
$env:JAVA_OPTS = "-Djavax.net.ssl.trustStore=`"$jksLocation`" -Djavax.net.ssl.trustStorePassword=temp1234! -Dkeystore.pkcs12.legacy --add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED"
```

Save the file

Restart the **Krestfield CertDog Service**

0 comments on commit 8298f97

Please sign in to comment.