From 6d69253a0bd1f75b1adb83fbc64e39e2f5319a7e Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Tue, 2 Jul 2024 16:04:40 -0700 Subject: [PATCH] Fix: RHEL-45539 CA Clone Installation is failing with 'Error verifying PKCS12 MAC; no PKCS12KDF support.' in FIPS mode. This very simple fix only does the following. The process fails when trying to export a cert out of the pkcs12 file into a pem file. Currently the cmd fails becuase fips doesn't like the mac verfication alg. Here, since we've already imported the p12 files into the nss db, using other cmds, it should be safe to do this operation without asking openssl to do the mac verify. Change-Id: I134c01ca4f15ef9093e9ff5aaa6c9c1bb820d9ac --- base/server/python/pki/server/deployment/__init__.py | 1 + 1 file changed, 1 insertion(+) diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index c5d905e07e1..bf57cf548ed 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -709,6 +709,7 @@ def import_clone_pkcs12(self): cmd_export_ca = [ 'openssl', 'pkcs12', + '-nomacver', '-in', pki_clone_pkcs12_path, '-out', pki_ca_crt_path, '-nodes',