Fix: RHEL-45539 (#4795)

CA Clone Installation is failing with 'Error verifying PKCS12 MAC; no PKCS12KDF support.' in FIPS mode. This very simple fix only does the following. The process fails when trying to export a cert out of the pkcs12 file into a pem file. Currently the cmd fails becuase fips doesn't like the mac verfication alg. Here, since we've already imported the p12 files into the nss db, using other cmds, it should be safe to do this operation without asking openssl to do the mac verify. Change-Id: I134c01ca4f15ef9093e9ff5aaa6c9c1bb820d9ac
dogtagpki · Jan 23, 2025 · 400f412 · 400f412
1 parent ba785b6
commit 400f412
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
@@ -715,6 +715,7 @@ def import_clone_pkcs12(self):
 
             cmd_export_ca = [
                 'openssl', 'pkcs12',
+                '-nomacver',
                 '-in', pki_clone_pkcs12_path,
                 '-out', pki_ca_crt_path,
                 '-nodes',