Trying to put in new cert - keep getting errors

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
mvalpreda
500 Syntax error
Posts: 14
Joined: 2015-11-11 19:14
First name: Mark
Last name: Valpreda

Trying to put in new cert - keep getting errors

#1 Post by mvalpreda » 2022-01-13 17:55

I have read 25 different posts on how to install a certificate into FileZilla Server, so I'm here out of last resort. Using the documentation I used last time I went through this.....

I have an exported PFX file (and password) from a wildcard certificate from a Windows machine. I have OpenSSL (full) installed from http://slproweb.com/products/Win32OpenSSL.html. These are the commands I'm attempting to run:

openssl pkcs12 -in 20211214.pfx -nocerts -nodes -passin pass:<password> | openssl rsa -out 20211214.pem
openssl pkcs12 -in 20211214.pfx -clcerts -nokeys -passin pass:<password> -out 20211214.crt

Bombs at the first one but does create a file.
C:\certs>openssl pkcs12 -in 20211214.pfx -nocerts -nodes -passin pass:<password> | openssl rsa -out 20211214.pem
Error outputting keys and certificates
AC080000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
writing RSA key

Same when I try this
C:\certs>openssl pkcs12 -in 20211214.pfx -out 20211214.pem -nodes
Enter Import Password:
Error outputting keys and certificates
BC060000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

What am I missing here?

User avatar
botg
Site Admin
Posts: 35491
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Trying to put in new cert - keep getting errors

#2 Post by botg » 2022-01-14 09:57

It looks like that file is encrypted with RC2-40-CBC, which OpenSSL doesn't support.

It's an extremely outdated and insecure algorithm with a minuscule key size, it's not supported by your version of OpenSSL.

Personally I've always GnuTLS' certtool to transform key/certificate files between formats.

mvalpreda
500 Syntax error
Posts: 14
Joined: 2015-11-11 19:14
First name: Mark
Last name: Valpreda

Re: Trying to put in new cert - keep getting errors

#3 Post by mvalpreda » 2022-01-14 15:33

Interesting. That is how Windows 2016 (Exchange 2016) exported the cert. Maybe I'll try importing on a newer Windows machine and then exporting again.

Post Reply