The private key is probably encoded with a non-FIPS-compliant algorithm. Try encoding the private key with PKCS8.
Jim Adams Principal Software Developer Rocket Software Email: jad...@rs.com<mailto:jsh...@rocketsoftware.com> Web: bluezone.rocketsoftware.com<http://www.bluezonesoftware.rocketsoftware.com/> ________________________________ From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Lior Aharoni Sent: Thursday, June 18, 2009 11:12 AM To: openssl-users@openssl.org Subject: pkcs12 command does not work in FIPS mode Hello, I have encountered a problem when trying to use OpenSSL command to decode PKCS12 file, I am using OpenSSL 0.9.8j that was build with FIPS support enabled. When working in non FIPS mode I perform the following operation successfully: K:\>openssl OpenSSL> pkcs12 -in k:\server.p12.pfx When I am in FIPS mode and perform the same operation I get the following error: Error outputting keys and certificates 7956:error:0607B090:digital envelope routines:EVP_CipherInit_ex:disabled for fips:.\crypto\evp\enc_min.c:306: 7956:error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure:.\crypto\evp\evp_pbe.c:101: 7956:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:.\crypto\pkcs12\p12_decr.c:83: 7956:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:.\crypto\pkcs12\p12_decr.c:123: error in pkcs12 Can someone shed light on why this does not work in FIPS mode? How does this functionality contradict the FIPS requirements? Is there and alternative that I can use that will work in FIPS mode? Thanks a lot, Lior
