How to export SSL certificates from a LoadMaster Certificate Backup

Hi

Openssl has changed the default message digest from MD5 (openssl-1.0) to SHA256 (openssl-1.1). As with KEMP 7.2.42 the digest is not yet adapted and you have to use following command in order to be able to decrypt the file:
openssl enc -in certbackup.aes -out certbackup.tar -d -aes256 -md md5 -k passphrase

thank you @emak! Kemp needs to update this kb!

I can't get this to work on Ubuntu 20.04:
openssl enc -d -aes256 -md md5 -in CertBackup_2020_08_05.00.57 > cer.tar
enter aes-256-cbc decryption password:
bad magic number

Hi @jkuter

I tried both ways the original command...
openssl enc -in CertBackup.aes -out certbackup2.tar -d -aes256 -md md5 -k password

Also tried it with yours...
openssl enc -d -aes256 -md md5 -in CertBackup.aes > cer.tar

And both worked. I noticed though you did not rename your file and maybe also did not unzip it before trying the command, can you try that and then try again please?

I tried the documented way as well, same error no matter what passphrase I use. What version of Kemp and what OS are you using? I will try downloading it in windows and running it in WSL and see if it makes a difference.

Hi,

The LM version is .48.1 and Ubuntu is 20.04.1 LTS. You did unzip before hand correct? Are you using any special characters in your passphrase?

7.2.48.1.17992.RELEASE.20191108-2115 No matter what I try even with password 123456 I get magic number error. Just received the same error in Windows WSL (Ubuntu). I will try another Kemp box and see if I can reproduce there. I am backing up from the cert backup and restore screen in the WUI.

jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ mv CertBackup_2020_08_05.15.57 certbackup.gz
jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ gzip -d certbackup.gz
jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ mv certbackup certbackup.gz
jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ mv certbackup.gz certbackup.aes
jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ openssl enc -in certbackup.aes -out certbackup.tar -d -aes256 -md md5 -k 123456
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
jkuter@ah-jkuter2:/mnt/c/Users/jkuter/Downloads$ tar xfvz certbackup.tar
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now

Is it the Kemp version? Do I need to upgrade? Just tried on an Azure kemp and an onprem kemp and received the same error.

Hi,

So I also get the..

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

error but in the end I do get a .tar file which has my certs in it. I just use winscp to move to my desktop and unzip it there. Another thing to note is that you unzip using gzip -d just to change the file name again to .gz this step is not needed and could be causing you problem when you try to tar it after running the openSSL command.

I tried on the same version as yours and a newer version, both work fine

gzip -d is step 4 of the instructions, I also thought it wasn't useful which is why I was using the other command (which you said works for you). I gave up on this (probably an issue with the minor version we are using), thanks for the help, we don't really need this functionality, it was just something we were trying out.