Importing certificates compatibility openSSL vs certutil

PeterUK
PeterUK Posts: 3,461  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary
edited December 2023 in Security

Old models of USG like Zywall 110 or USG 60 don't work with opeSSL command

openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem

errno: -17011

errmsg: PKI certificate type is not supported

Yet on VPN300 and FLEX 200 it will happily accept it

and using

certutil –MergePFX cert.cer cert.pfx

works on Zywall 110 or USG 60 and VPN300 or FLEX 200

I'm guessing a old copy of openSSL will work?

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,249  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    edited December 2023

    Hello @PeterUK

    Thank you for your inquiry. Could you specify this question "I'm guessing a old copy of OpenSSL will work?" for us in more detail? Thank you.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Maybe there is another openssl for windows but I used this

    https://slproweb.com/products/Win32OpenSSL.html

    I tried older versions to see if newer version cause old USG model to not work but it still failed

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,249  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    OK, noted. Thank you for your update.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited February 25

    So after some testing for anyone the openSSL for windows will not work for the USG 60 or Zywall 110 and other model but will for newer models like FLEX200

    I tried the openSSL in linux mint and had the same problem for USG 60 or Zywall 110 until you add the

    -legacy

    openssl pkcs12 -export -out /home/dns/ddns.pfx -inkey /home/dns/ddns.key -in /home/dns/ddns.crt -legacy
    

Security Highlight