Issue: “Bag attributes are present in your certificates files and are not supported with Automation suite. Please remove bag attributes from the certificate”
Root Cause: Our certificate upgrade script only accepts certificates in PEM format however many times a customer will bring a pfx certificate instead, in such cases there is a need to extract the certificate in cer/crt format and its key respective key from the pfx file. A pfx file usually contains additional attributes in a bag structure which are unsurprisingly called “bag attributes”. In very basic terms, these attributes are just some additional values about the certificate. These bag attributes get added to the certificate that we extract in PEM format and cause the above issue.
Resolution: If the basic extraction method is used for getting the PEM certificate and its key, as illustrated below, the bag attributes will be present in the output.
Extract Private Key from the PFX file:
- openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]
Extract the certificate in PEM format, from the PFX file:
- openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]
To bypass the issue, cut out the bag attributes from the PFX file and then extract out the certificate in PEM format and the key in .key format. This can be achieved by using the below commands:
Extract Private Key from the PFX file without the bag attributes:
- openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key>
Extract the certificate in PEM format, from the PFX file, without the bag attributes:
- openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <clientcert.cer>
The above obtained certificates will be free from any bag attributes and there will be no issues in updating the AS server certificates.
Note: This applies to all AS installation greater than v22.10