Open
Bug 1439939
Opened 6 years ago
Updated 2 years ago
Exported p12 client certificate fails to load in Powershell and IE
Categories
(NSS :: Libraries, defect, P5)
Tracking
(firefox60 affected)
UNCONFIRMED
Tracking | Status | |
---|---|---|
firefox60 | --- | affected |
People
(Reporter: zao, Unassigned)
Details
I've got a grid client certificate which when exported from Firefox as a .p12 can't import in neither Internet Options on my Windows 10 machine, nor be parsed by PowerShell's Get-PfxData. The error from IE is a generic "wrong password" while PowerShell's Get-PfxData reports: Get-PfxData : An error occurred during encode or decode operation. 0x80092002 (-2146885630 CRYPT_E_BAD_ENCODE) This holds for certs exported by both Linux and Windows Firefox Nightly. The very same certificate imports fine in Linux Chrome and once re-exported from Chrome, imports fine on Windows. I've also got an older (expired) certificate from the same issuer that I can export and import correctly with the same Firefox version. Both certs should be SHA2 ones issued by Terena via Digicert, the only real difference I see in them according to openssl's command line tool is that the friendlyName of the bogus one has: friendlyName: First Last id@site.tld^Ys TERENA ID while the good one is: friendlyName: First Last id@site.tld's TERENA ID The ^Y above is a literal 0x12 in the output from openssl. I've got more of the new and old certificates, and the cutoff point from working to broken seems to be when the friendlyName changes. Are we somehow violating some encoding rules about nonprintable characters that Windows trips on?
Reporter | ||
Comment 1•6 years ago
|
||
I'm sorry, I mixed the files up a bit and botched the hex for ^Y. Even the older certificate breaks once exported from Firefox. The difference in friendlyName is between the original certificate I imported into Firefox (which has the apostrophe), and the one exported from Firefox (which has the 0x19 ^Y).
Updated•6 years ago
|
Assignee: nobody → nobody
Component: Untriaged → Libraries
Product: Firefox → NSS
Version: Trunk → other
Comment 2•6 years ago
|
||
I have the same problem. Since firefox 58 cert export function generates wrong *.p12 file which Cannot be imported in Internet Explorer on Windows. Import proccess (in IE) prompts 'Invalid password' message.
Comment 3•6 years ago
|
||
I'll corroborate this issue: Firefox 59 exported P12 files cannot be imported into Windows 10 machines (10.0.16299.2448) using Certificate Manager. Error reported is "incorrect password". Certificate can be imported into Firefox without an issue. Certificate can also be imported successfully by Kleopatra on Linux. Appears to also be corroborated by https://superuser.com/questions/1295305/certificate-export-from-firefox-import-to-windows-store
Comment 4•6 years ago
|
||
OS: Windows 10 - Version 10.0.16299 build 16299 Firefox Quantum 59.0.2 (64-bit) Following Certificates effected. Code Signing Certificates. Admin ID Certificates / Device Tokens. Issue: All Certificates exported as p12 from Firefox experience "The Password you entered is Incorrect." Impact: This has a huge impact with Certificate Authorities as many only use Firefox for keypair certificate creation as Microsoft Edge & Google Chrome lacks the ability to generate fully functional certificate keypairs. Current work around I found for Code Signing certificates Is to use the Digicert Certificate Utility for Windows. (using all the same password and Firefox p12 code signing cert that was generated) import the failed password p12 file into the utility then re-export the certificate from the utility. Windows systems then accept the p12 file after password entry.
Updated•6 years ago
|
Priority: -- → P5
I have also run into this issue and have a workaround that utilises OpenSSL; 1. Export you current certificate to a passwordless pem type: openssl pkcs12 -in mycert.pfx -out tmpmycert.pem -nodes Enter Import Password: MAC verified OK 2. Convert the pem file to a new pfx file with password: openssl pkcs12 -export -out mycert2.pfx -in tmpmycert.pem Enter Export Password: Verifying - Enter Export Password: This will now be importable either via the MMC, IE or the Installation Wizard
Comment 6•6 years ago
|
||
Same issue here. 59.0.2 (64-bit) on Windows. As an extra information, in my cert there's also a "'" character in the "friendly name", it ressembled this structure: "LAST1 LAST2 NAME - 00000000F's FNMT-RCM ID". I **confirm** the openssl trick **worked** fine.
Comment 7•6 years ago
|
||
Same issue as Xavi, same version and platform, with a similar Spanish FNMT certificate. In my case the ASCII code of the "'" character in the pem generated by open ssl from the p12 file exported by firefox is 25 (decimal). The openssl trick also worked for me.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•