Issue
You have just updated to Cerberus 12.11.x or abov and now receive this error on your certificate when verifying it in 'Server Manager' > 'Security' > 'General':
"Unable to load TLS key pair after update to 12.11: Error parsing PKCS#12 file: unsupported"
Explanation of issue
If you have FIPS 140-2 mode turned 'On' you may be using a .pfx that was created with an encryption algorithm that is no longer supported by FIPS 140-2 and OpenSSL v3.0.
If you see that FIPS 140-2 is 'Off', try restarting the Cerberus service using 'services.msc'. It's possible you had FIPS 140-2 turned on at some point and Cerberus thinks you still have it on.
Cerberus 12.11 and above, with FIPS mode on, will support PFX as long as it uses the newer "TripleDES-SHA1" and/or "AES256-SHA256" encryption algorithms.
PFX's created using the Windows Certificate Store in Windows Server 2012 R2 and below, as well as the Digicert tool available online, use an unsupported encryption algorithm and there is no option to select a newer one when exporting a PFX.
In Windows Server 2016 and above, the encryption algorithms offered are both supported:
See Moving to OpenSSL 3 in Cerberus 12.11
Solutions
Preferred: Re-export PFX from Windows with newer encryption.
If you are now running Cerberus on Windows Server 2016 or above, you can either re-export the PFX if it's still in your Certificate Store, or you can import the PFX into the Windows Certificate Store and re-export it. To import the PFX, double click on the .pfx and follow the Wizard to import it:
Next follow these steps to re-export it. See Exporting a certificate from the Windows Certificate Store for use by Cerberus FTP Server
Preferred if you are still on Windows 2012: Use OpenSSL to take your current PFX and create a new one.
You can use OpenSSL to import the old PKCS#12 and then export again with "TripleDES-SHA1" Encryption
Procedure to export new PFX
These instructions assume you have downloaded and installed the Windows binary distribution of OpenSSL. Refer to Using OpenSSL for the general instructions.
The private key you want to convert must already be an RSA private key and be between 1024 and 4096 bits in length, inclusive. It is only possible to convert the storage format for the private key. Changing the type of key and its length is not possible and requires generation of a new private key.
1. Extract the original private key and public certificate from the incompatible PKCS#12 format file into a traditional encrypted PEM format.
C:\Openssl\bin\openssl.exe pkcs12 -in <PFX Filename> -out <Encrypted PEM Filename>
Where...
<PFX Filename> = the input filename of the incompatible PFX file.
<Encrypted PEM Filename> = the output filename in encrypted PEM format that will contain both the private key and the public certificate.
For example:
>C:\Openssl\bin\openssl.exe pkcs12 -in my_pkcs12.pfx -out my_encrypted_pem.pem
2. Generate a compatible PFX file
>C:\Openssl\bin\openssl.exe pkcs12 -export -in <Encrypted PEM Filename> -out <PKCS#12 Filename> -name "<Display Name>"
Where...
<Encrypted PEM Filename> = the encrypted PEM format file generated above.
<PKCS#12 Filename> = the output filename of the pkcs#12 format file.
<Display Name> = the desired name that will sometimes be displayed in user interfaces. This is optional
For example:
>C:\Openssl\bin\openssl.exe pkcs12 -export -in my_encrypted_pem.pem -out my_new_pkcs12.pfx -name "my-name"
3. (Optional) Delete unneeded files.
At this point, you can delete the temporary unencrypted PEM file.
4. Reinstall new PFX in 'Server Manager' > 'Security' > 'General' > 'Server Key Pair'. A Cerberus service restart is recommended after installing the new PFX
Other possible solutions:
- Find and use the certificate file (*.crt) and private key (*.key) and use them separately in Cerberus. Cerberus understands both DER and PEM encoded certificate formats (Apache Web Format). IIS (*.cer) certificate files are not supported. See Importing a 3rd Party Certificate
- Not Recommended: Turn off FIPS 140-2 mode in 'Server Manager' > 'Security' > 'General'. This is not recommended if you are required to maintain heightened security for HIPPA or GDPR compliance. See What is FIPS 140-2?
- Not Recommended: Roll back to 12.10.1 until you are able to procure a compatible PFX or other certificate. Please open a support ticket at support@cerberusftp.com for steps before attempting.
Comments
0 comments
Please sign in to leave a comment.