How do I read an outdated OpenSSL PFX file in modern OpenSSL?

Richard C.

—May 15, 2024

The ProblemThe Problem

Reading cryptographic certificates is a common task when working with security. However, if the certificate you use is outdated, it may use cryptography that’s unsupported by modern SSL. You will then get the error "error:0308010C:digital envelope routines::unsupported" when calling openssl pkcs12.

You’ll encounter the same error if you use a programming language that uses your operating system’s OpenSSL, like calling openssl_pkcs12_read in PHP or cryptography.hazmat.primitives.serialization.pkcs12 in Python.

The SolutionThe Solution

If you read the PFX file in the terminal, you can add -legacy to the read command. For example, if you have a certificate file made in OpenSSL version 1 that you try to open in version 3:

openssl pkcs12 -in mycert.pfx -nodes; # error:
# 40176B4E4C750000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

openssl pkcs12 -in mycert.pfx -nodes -legacy;  # correctly outputs contents

If you use a programming language that relies on OpenSSL, instead of using the terminal, you’ll need to edit your OpenSSL configuration file.

As a superuser, edit the /etc/ssl/openssl.cnf file. Activate the existing [default_sect], add a [legacy_sect], and add the legacy to the [provider_sect]. The sections should now look like this:

[default_sect]
activate = 1
[legacy_sect]
activate = 1

[provider_sect]
default = default_sect
legacy = legacy_sect

Save and exit. Your code will now be able to read legacy OpenSSL certificates.

Create Your Own ExampleCreate Your Own Example

If you want to create your own legacy PFX file for testing, start the docker.io/bitnami/laravel:8 Docker image and connect to bash inside it with docker exec -it your_container_name bash.

By running openssl version in the Docker container you can see the image uses OpenSSL 1.1.1d 10 Sep 2019.

Then make a PFX file with the following commands:

openssl genrsa -out mycert.key 2048;
openssl req -new -x509 -key mycert.key -out mycert.crt -days 365 -subj "/C=US/ST=California/L=San Francisco/O=My Organization/OU=My Department/CN=mydomain.com";
openssl pkcs12 -export -out mycert.pfx -inkey mycert.key -in mycert.crt -password pass:;

Read it:

openssl pkcs12 -in mycert.pfx -nodes; # click enter when asked for a password

If you have the latest version of your operating system on your physical machine, it should have OpenSSL version 3 or later, and you can try to read the file generated in the container to test if -legacy works.