Forum Discussion

Aditya_Mehra's avatar
Mar 14, 2018

Convert to pkcs 12 format

Hi All, I created a csr and have received the certs from CA. I will be using those on the F5. But the server team needs the cert and key in pkcs12 format.

 

I have the below:

 

certificate file -> server.crt

 

key file -> server.key (this is already in the F5, downloaded it from the BIGIP)

 

root CA -> CACert.csr

 

How can I convert it to pkcs in F5?

 

I tried the below but does not work

 

openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile CACert.crt

 

Can anyone please help on this?

 

Thanks, Aditya

 

  • this command works in my F5:

    openssl pkcs12 -export -in /config/filestore/files_d/Common_d/certificate_d/\:Common\:wildcard_demo.local.crt_47284_1 -inkey /config/filestore/files_d/Common_d/certificate_key_d/\:Common\:wildcard_demo.local.key_47282_1 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -out /var/tmp/democert.p12 -certfile /config/filestore/files_d/Common_d/certificate_d/\:Common\:DEMO_CA.crt_47294_1
    

    or

    openssl pkcs12 -export -in /config/filestore/files_d/Common_d/certificate_d/\:Common\:wildcard_demo.local.crt_47284_1 -inkey /config/filestore/files_d/Common_d/certificate_key_d/\:Common\:wildcard_demo.local.key_47282_1 -certpbe AES-256-CBC -keypbe AES-256-CBC -out /var/tmp/democert.p12 -certfile /config/filestore/files_d/Common_d/certificate_d/\:Common\:DEMO_CA.crt_47294_1
    

    NOTE: If you do not specify explicitly specify the certpbe and keypbe algorithm this version defaults to using pbewithSHAAnd40BitRC2-CBC to protect the certificate and pbeWithSHAAnd3-KeyTripleDES-CBC to protect the key.

    RC2 was designed in 1987 and has been considered weak for a very long time. 3DES is still considered by many to offer 112-bits of security though in 2015 it is clearly not an algorithm that should still be in use.

    Source : http://unmitigatedrisk.com/?p=543