From 400f412eece3d2547264d7b1dcf74cf0ec8ca93f Mon Sep 17 00:00:00 2001 From: jmagne Date: Mon, 8 Jul 2024 09:54:31 -0700 Subject: [PATCH] Fix: RHEL-45539 (#4795) CA Clone Installation is failing with 'Error verifying PKCS12 MAC; no PKCS12KDF support.' in FIPS mode. This very simple fix only does the following. The process fails when trying to export a cert out of the pkcs12 file into a pem file. Currently the cmd fails becuase fips doesn't like the mac verfication alg. Here, since we've already imported the p12 files into the nss db, using other cmds, it should be safe to do this operation without asking openssl to do the mac verify. Change-Id: I134c01ca4f15ef9093e9ff5aaa6c9c1bb820d9ac --- base/server/python/pki/server/deployment/__init__.py | 1 + 1 file changed, 1 insertion(+) diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 70505aa746c..b3e2d677e4c 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -715,6 +715,7 @@ def import_clone_pkcs12(self): cmd_export_ca = [ 'openssl', 'pkcs12', + '-nomacver', '-in', pki_clone_pkcs12_path, '-out', pki_ca_crt_path, '-nodes',