From 4a05d20ba52a77011a1d88cc9023b48dee636876 Mon Sep 17 00:00:00 2001 From: jmagne Date: Mon, 8 Jul 2024 09:54:31 -0700 Subject: [PATCH] Fix: RHEL-45539 (#4795) CA Clone Installation is failing with 'Error verifying PKCS12 MAC; no PKCS12KDF support.' in FIPS mode. This very simple fix only does the following. The process fails when trying to export a cert out of the pkcs12 file into a pem file. Currently the cmd fails becuase fips doesn't like the mac verfication alg. Here, since we've already imported the p12 files into the nss db, using other cmds, it should be safe to do this operation without asking openssl to do the mac verify. Change-Id: I134c01ca4f15ef9093e9ff5aaa6c9c1bb820d9ac --- base/server/python/pki/server/deployment/__init__.py | 1 + 1 file changed, 1 insertion(+) diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index c5d905e07e1..bf57cf548ed 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -709,6 +709,7 @@ def import_clone_pkcs12(self): cmd_export_ca = [ 'openssl', 'pkcs12', + '-nomacver', '-in', pki_clone_pkcs12_path, '-out', pki_ca_crt_path, '-nodes',