Overview

The Okta Workflows mTLS API connector requires that all uploaded P12/PFX files use FIPS-compliant algorithms. Specifically, files must use AES-256-CBC encryption and PBMAC1 with PBKDF2 for their MAC integrity checks (complying with RFC 9579).

When attempting to upload a non-compliant P12 file, the following error appears:

P12 container is not compliant, it may be using legacy algorithms or MAC.

This guide demonstrates how to use OpenSSL to convert legacy credential packages (which use traditional RFC 7292 Appendix B password-hashing) into compliant containers.

Prerequisites

• OpenSSL 3.4 or later: The specific FIPS module for OpenSSL is not needed, but version 3.4+ is required to support the necessary bundling flags.
• Windows Users: Native Windows certificate export utilities do not currently support formatting PFX packages with a PBMAC1 structure. OpenSSL 3.4+ via CLI (such as Git Bash or WSL) must be used to complete this action.

Solution

1. Check OpenSSL Version

openssl --version

If less than 3.4, please upgrade the OpenSSL build based on widely available public documentation, depending on the system platform.  

2. Extract the Private Key and Certificate

Extract the components into a temporary key and cer files.

⚠️ Security Warning: The intermediate key file generated below will be unencrypted (-noenc). Ensure these steps are performed in a secure directory and complete the cleanup step at the end.

openssl pkcs12 -in "client-credential.p12" -nocerts -out "client-key.key" -noenc -legacy 

openssl pkcs12 -in "client-credential.p12" -clcerts -nokeys -out "client-cert.cer" -legacy 

3. Create the Compliant P12/PFX File

Re-bundle the components using modern Password-Based Encryption Standard 2 (PBES2) and PBMAC1 algorithms. Replace StrongPasswordPlainText with the desired container password.

openssl pkcs12 -export -in "client-cert.cer" -inkey “client-key.key” -out
"client-credential-compliant.p12" -password "pass:StrongPasswordPlainText"
-keypbe AES-256-CBC -certpbe AES-256-CBC -pbmac1_pbkdf2 -macalg sha256

4. Validate the PBMAC1 Structure

Verify that the outer MAC and inner wrappers are using the correct integrity algorithms:

openssl pkcs12 -in client-credential-compliant.p12 -info -noout

Expected Output:

 MAC: PBMAC1 using PBKDF2, Iteration 2048, PRF hmacWithSHA256
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

5. Clean Up

For security reasons, permanently delete the unencrypted temporary files from the local file system once the compliant P12 file is successfully generated and used.

#macOS/Linux

rm client-key.key client-cert.cer

#Windows Powershell

Remove-Item client-key.key, client-cert.cer

The client-credential-compliant.p12 file can now be confidently uploaded to the Okta Workflows mTLS connection configuration.

Helpful Resources

Mutual TLS (mTLS) authentication in Okta Workflows