Fix: RHEL-45539 (#4795)

CA Clone Installation is failing with 'Error verifying PKCS12 MAC; no PKCS12KDF support.' in FIPS mode. This very simple fix only does the following. The process fails when trying to export a cert out of the pkcs12 file into a pem file. Currently the cmd fails becuase fips doesn't like the mac verfication alg. Here, since we've already imported the p12 files into the nss db, using other cmds, it should be safe to do this operation without asking openssl to do the mac verify. Change-Id: I134c01ca4f15ef9093e9ff5aaa6c9c1bb820d9ac
dogtagpki · Jul 8, 2024 · 4a05d20 · 4a05d20
1 parent 4b29f9e
commit 4a05d20
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
@@ -709,6 +709,7 @@ def import_clone_pkcs12(self):
 
             cmd_export_ca = [
                 'openssl', 'pkcs12',
+                '-nomacver',
                 '-in', pki_clone_pkcs12_path,
                 '-out', pki_ca_crt_path,
                 '-nodes',