On Sun, 2014-10-19 at 00:15 +0800, David Frank wrote: > Same problem as Alex here, I can't spot a difference between these 2 > commands, but only the openssl one works with AnyConnect client. > > - openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -name > "service" -certfile ca-cert.pem -out user.p12 I used gnutls in git to see the difference: certtool --p12-info --inder <user.p12 MAC info: MAC: SHA1 (1.3.14.3.2.26) BAG #0 Type: Encrypted Cipher: RC2-40 Schema: PKCS12-RC2-40-SHA1 (1.2.840.113549.1.12.1.6) BAG #1 Type: PKCS #8 Encrypted key PKCS #8 information: Cipher: 3DES-CBC Schema: PKCS12-3DES-SHA1 (1.2.840.113549.1.12.1.3) > - certtool --to-p12 --load-ca-certificate ca-cert.pem --load-privkey > user-key.pem --load-certificate user-cert.pem --outfile user.p12 The equivalent: MAC info: MAC: SHA1 (1.3.14.3.2.26) BAG #0 Type: Encrypted Cipher: ARCFOUR-128 Schema: PKCS12-ARCFOUR-SHA1 (1.2.840.113549.1.12.1.1) BAG #1 Type: Encrypted Cipher: ARCFOUR-128 Schema: PKCS12-ARCFOUR-SHA1 (1.2.840.113549.1.12.1.1) So I'd suggest to use --pkcs-cipher=3des-pkcs12 as algorithm. That will also be the default in certtool in 3.4.0. regards, Nikos
