A Calustra - Eloy Coto Pereiro Home About Books

Using National Certificates with OpenSSL and YubiKey

on

When I tried to use the national certificate, I was unable to do so due to the encryption algorithm. Some algorithms are set as legacy in the newer versions of OpenSSL (3.0.0).

To discover the encryption type, you can run the following:

-> openssl pkcs12 -info -in cert.pfx -noout
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 600000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 600000

For importing it into Firefox, I needed to change the encryption to a newer one. You might not know, but in the PKCS12 format, the certificate and the key are all in the same file, so you can extract all information using some OpenSSL commands:

openssl pkcs12 -legacy -in cert.pfx -clcerts -nokeys -out certificate.crt
openssl pkcs12 -legacy -in cert.pfx -nocerts -out encrypted.key
openssl rsa -in encrypted.key -out private.key

Note that the -legacy option is needed to extract the values.

With all the information extracted, we need to bundle everything in the same file using the following command:

openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate.p12

Checking the algorithm again gives better results:

-> openssl pkcs12 -info -in certificate.p12 -noout
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

Importing into the browser now works correctly!

Bonus: Want to store it in the YubiKey?

YubiKey is a nice tool that I highly recommend. In YubiKey, you can store PIV certificates. You can load the certificates using the following commands:

Load into Auth slot:

yubico-piv-tool -s 9a -a import-cert -i certificate.crt
yubico-piv-tool -s 9a -a import-key -i private.key

Load into Card Auth slot:

yubico-piv-tool -s 9d -a import-cert -i certificate.crt
yubico-piv-tool -s 9d -a import-key -i private.key

Load into Digital Signature slot:

yubico-piv-tool -s 9c -a import-cert -i certificate.crt
yubico-piv-tool -s 9c -a import-key -i private.key

You can learn about the purpose of each slot in the following documentation:

With this setup, each time an mTLS request is needed in Firefox, the browser will ask for the YubiKey password.

Hope that helps!

Tags

Related articles: