Replacing SRM Custom certificate with PKCS#12 fails
search cancel

Replacing SRM Custom certificate with PKCS#12 fails

book

Article ID: 367808

calendar_today

Updated On:

Products

VMware Site Recovery Manager 8.x VMware Live Recovery

Issue/Introduction

Symptoms:

Attempting to replace SRM certificate with a custom PKCS#12 file

Error in the GUI:
The certificate is not in the correct format or has a different password.

Error in vmware-dr.log:
2023-07-25T06:30:44.149Z error drconfig[01090] [SRM@6876 sub=DrConfigSslCertificateManager opID=34e76de1-6e1f-459b-b77c-b52303268248-installCertificate] Error while processing pkcs string 'N2Dr6Crypto20Pkcs12ParseExceptionE Crypto Exception: Cannot parse PKCS12
--> Reasons:
--> 400614AF717F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Environment

VMware Site Recovery Manager 8.x

VMware vSphere Replication 8.x

Cause

The p12 file is created with legacy (not supported) algorithm RC2-40-CBC.

Resolution

Add the following parameters to the command:
openssl pkcs12 -export ... -keypbe aes-256-cbc -certpbe aes-256-cbc
Example:
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile CACert.crt -keypbe aes-256-cbc -certpbe aes-256-cbc

Additional Information

If the error doesn't show in vmware-dr.log, the password is likely invalid or incorrect for the p12 file.