OpenSSL 3.x changes and legacy provider deprecation

Description

OpenSSL has shifted their major version from 1.x to 3.x and, in doing so, changed the way certain operations and algorithms are implemented. In the context of ArcGIS products, this may impact the ability to use certain PFX files that are encrypted using a deprecated message digest or symmetric cipher.

The removed operations and algorithms can be found at OpenSSL legacy provider.

Cause

When attempting to import the PFX file (in the case of ArcGIS Monitor) or use it as part of the deployment scripts (in the case of ArcGIS Enterprise on Kubernetes), there are several error responses that may be returned (not an exhaustive list).

• CA MD too weak
• Error outputting keys and certificates
• Invalid password
• 40271666EE7F0000:error:1C800064:Provider routines:(unknown function):bad decrypt:providers/implementations…
• 40271666EE7F0000:error:11800074:PKCS12 routines:(unknown function):pkcs12 cipherfinal error:crypto/pkcs12…
• 40078507D37F0000:error:0308010C:digital envelope routines:(unknown function):unsupported:crypto/evp…

Solution or Workaround

The PKCS12 keystore (PFX file) should be re-created (or re-exported) from source using a newer, secure hashing algorithm and/or symmetric cipher. For example, when exporting from a Windows machine using MMC, the AES256-SHA256 option (introduced in Server 2016 update 1709) should be used.

Otherwise, the certificate can be upgraded using an OpenSSL 3.x binary and output to a new PFX file. To confirm the version of OpenSSL being used to combine the public and private key into a PFX file, run the following command:

openssl version

Once the version of OpenSSL is confirmed, the public and private keys stored in PEM-encoded files can be recombined with the following syntax:

openssl pkcs12 -export -in public_key.pem -inkey private_key.pem -out new-certificate.pfx