Importing certificates compatibility openSSL vs certutil

Options
PeterUK
PeterUK Posts: 2,876  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited December 2023 in Security

Old models of USG like Zywall 110 or USG 60 don't work with opeSSL command

openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem

errno: -17011

errmsg: PKI certificate type is not supported

Yet on VPN300 and FLEX 200 it will happily accept it

and using

certutil –MergePFX cert.cer cert.pfx

works on Zywall 110 or USG 60 and VPN300 or FLEX 200

I'm guessing a old copy of openSSL will work?

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,104  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2023
    Options

    Hello @PeterUK

    Thank you for your inquiry. Could you specify this question "I'm guessing a old copy of OpenSSL will work?" for us in more detail? Thank you.

  • PeterUK
    PeterUK Posts: 2,876  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Maybe there is another openssl for windows but I used this

    https://slproweb.com/products/Win32OpenSSL.html

    I tried older versions to see if newer version cause old USG model to not work but it still failed

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,104  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    OK, noted. Thank you for your update.

  • PeterUK
    PeterUK Posts: 2,876  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 25
    Options

    So after some testing for anyone the openSSL for windows will not work for the USG 60 or Zywall 110 and other model but will for newer models like FLEX200

    I tried the openSSL in linux mint and had the same problem for USG 60 or Zywall 110 until you add the

    -legacy

    openssl pkcs12 -export -out /home/dns/ddns.pfx -inkey /home/dns/ddns.key -in /home/dns/ddns.crt -legacy
    

Security Highlight