ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Private Certificates exported from Encryption Management Server are unusable

book

Article ID: 172471

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

Exporting the following types of private certificate from Encryption Management Server results in a *.p12 format file that is unusable. The file is corrupt:

  1. Organization Certificate.
  2. User S/MIME certificate.
  3. SSL certificate.

Windows 10 gives the following error when you attempt to import the *.p12 file:

This file is invalid for use as the following: Personal Information Exchange.

openssl gives the following error when trying to process the *.p12 file:

error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long

Environment

Encryption Management Server 3.4.2 MP1.

Resolution

This isssue is resolved in release 3.4.2 MP2 and above so please upgrade.

To workaround the issue for the Organization Certificate or user S/MIME certificates in release 3.4.2 MP1, please do the following:

  1. Export the private PGP key from Encryption Management Server. Optionally, set a passphrase.
  2. Import the private key into Encryption Desktop by double-clicking on the *.asc file.
  3. Open Encryption Desktop, navigate to PGP Keys / My Private Keys and find the key that you imported.
  4. Expand the components of the key you imported by clicking on the + sign to the left of the key name.
  5. The last item shown will be the encryption certificate.
  6. Right click on the encryption certificate and select Export.
  7. Enable the option Include Private Key(s). The default file name will change to *.p12.
  8. Choose a destination folder and click Save to export the private certificate.
  9. Optionally, delete the private key from Encryption Desktop.
  10. Optionally, rename the *.p12 file *.pfx so that you can import it into the Windows certificate store by double-clicking on it.
  11. When importing the certificate into the Windows certificate store, you will require the passphrase you set at step 1 above.

To workaround the issue in release 3.4.2 MP1 for SSL certificates, please contact Symantec Technical Support.