Using National Certificates with OpenSSL and YubiKey

When I tried to use the national certificate, I was unable to do so due to the encryption algorithm. Some algorithms are set as legacy in the newer versions of OpenSSL (3.0.0).

To discover the encryption type, you can run the following:

-> openssl pkcs12 -info -in cert.pfx -noout
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 600000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 600000

For importing it into Firefox, I needed to change the encryption to a newer one. You might not know, but in the PKCS12 format, the certificate and the key are all in the same file, so you can extract all information using some OpenSSL commands:

openssl pkcs12 -legacy -in cert.pfx -clcerts -nokeys -out certificate.crt
openssl pkcs12 -legacy -in cert.pfx -nocerts -out encrypted.key
openssl rsa -in encrypted.key -out private.key

Note that the -legacy option is needed to extract the values.

With all the information extracted, we need to bundle everything in the same file using the following command:

openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.p12

Checking the algorithm again gives better results:

-> openssl pkcs12 -info -in certificate.p12 -noout
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

Importing into the browser now works correctly!

yubico-piv-tool -s 9a -a import-cert -i certificate.crt
yubico-piv-tool -s 9a -a import-key -i private.key

yubico-piv-tool -s 9d -a import-cert -i certificate.crt
yubico-piv-tool -s 9d -a import-key -i private.key

yubico-piv-tool -s 9c -a import-cert -i certificate.crt
yubico-piv-tool -s 9c -a import-key -i private.key

Tags

Related articles:

• Make your Golang project more secure with a few simple tools
• Kubernetes Network Policies talk at AtlanticaConf19