New FP5 - can't import PFX/P12 securty certificate

Hello all,

here on my new FP5 i must import some security client certificates. For VPN, Email, and Websites. But always i import the PFX/P12 i get the error the the password is wrong. But it is correct. I can import on other phones and computers.

I tested to import directly in the certificatestore, on the mailapp (officemail nine), on the Fortiguard Enterprise VPN client. But on all apps it is the same error with “wrong password”.

I also exported the PFX with “no password” but also the same error. (yes that makes no sense)

What i have to do the i can import PFX/P12 Clientcert on my FP5?
e/OS 1.19.1.x

Very Thanks
Best regards
boospy

I have now found something about it and was able to solve it… but I don’t quite understand the reason. Should newer versions no longer be able to do this? https://stackoverflow.com/questions/71872900/installing-pcks12-certificate-in-android-wrong-password-bug

interesting. And good stackoverflow answer having a compatibility table. Early 2023 (see bottom links) some more tests got added so there should be options for newer key ciphers beyond that table in later Androids. But for the old 3des / rc2 ciphers it seems sha1 is the only way.

your p12 cert file used a hash/cipher combo on parts (cert, key) or the whole (+ mac) of it that Android 12 didn’t like.

What did the original file use?

openssl pkcs12 -info -in yourfile.p12 | grep -E '(MAC|PKCS|Keybag)'

If you feedback the compat table to the sysadmin handing the p12 out, users after you have an easier life.

• https://android-review.googlesource.com/c/platform/libcore/+/2384632
• https://android-review.googlesource.com/q/topic:"bc_pbes2"
• https://android-review.googlesource.com/c/platform/libcore/+/2096641/5/luni/src/test/resources/keystore/README.md

Strange, there are these output:

MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

Why PKCS7? I exported an pkcs12. Looks like a software error… I use XCA: https://www.hohnstaedt.de/xca/index.php/download

Anyway, it’s sha256 and Android12/13 can’t do that.

This topic was automatically closed after 90 days. New replies are no longer allowed.