[GH-ISSUE #496] Generated PFX (.p12) not working with Node v17+ due to RC2 cipher #306

New issue

Open

opened 2026-02-25 22:33:04 +03:00 by kerem · 1 comment

kerem commented

2026-02-25 22:33:04 +03:00

Owner

Originally created by @bgever on GitHub (Jan 18, 2023).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/496

Environment

Operating system (including version): macOS 13.1
mkcert version (from mkcert -version): v1.4.4
Server (where the certificate is loaded): Node.js v18.12.1
Client (e.g. browser, CLI tool, or script): Node.js CLI (webpack-dev-server@4.11.1)

What you did

I'm using the webpack dev server, and prefer to use the PFX method as it only creates a single file on the filesystem.

Installed CA with mkcert -install
Create new PFX with mkcert -pkcs12 localhost
Run webpack with server config for HTTPS and loading the PFX (.p12) file.

Webpack config:

devServer: {
  server: {
    type: 'https',
    options: {
      pfx: './localhost.p12',
      passphrase: 'changeit'
    }
  }
}

What went wrong

Webpack is unable to serve with the following error:

> webpack serve --color --mode development

<i> [webpack-dev-server] SSL certificate: /Users/bart/myapp/node_modules/.cache/webpack-dev-server/server.pem
[webpack-cli] Error: unsupported
    at configSecureContext (node:internal/tls/secure-context:277:15)
    at Object.createSecureContext (node:_tls_common:117:3)
    at Server.setSecureContext (node:_tls_wrap:1352:27)
    at Server (node:_tls_wrap:1211:8)
    at new Server (node:https:74:3)
    at Object.createServer (node:https:112:10)
    at Server.createServer (/Users/bart/myapp/node_modules/webpack-dev-server/lib/Server.js:2443:57)
    at Server.initialize (/Users/bart/myapp/node_modules/webpack-dev-server/lib/Server.js:1820:10)
    at Server.start (/Users/bart/myapp/node_modules/webpack-dev-server/lib/Server.js:3251:16)
    at async Command.<anonymous> (/Users/bart/myapp/node_modules/@webpack-cli/serve/lib/index.js:159:21)

Searching for the problem led me to this Node.js bug report: https://github.com/nodejs/node/issues/40672

It mentions that RC2 cipher has been disabled since Node 17. The suggested command to list the PFX details confirms the use of the RC2 cipher, see pbeWithSHA1And40BitRC2-CBC below.

$ openssl pkcs12 -info -in localhost.p12 -noout
Enter Import Password:
MAC Iteration 1
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

Is it possible to generate a PFX without using RC2?

In the meantime, I'm using the PEM files approach instead.

Originally created by @bgever on GitHub (Jan 18, 2023). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/496 ## Environment * Operating system (including version): macOS 13.1 * mkcert version (from `mkcert -version`): v1.4.4 * Server (where the certificate is loaded): Node.js v18.12.1 * Client (e.g. browser, CLI tool, or script): Node.js CLI (webpack-dev-server@4.11.1) ## What you did I'm using the webpack dev server, and prefer to use the PFX method as it only creates a single file on the filesystem. - Installed CA with `mkcert -install` - Create new PFX with `mkcert -pkcs12 localhost` - Run webpack with server config for HTTPS and loading the PFX (.p12) file. Webpack config: ``` devServer: { server: { type: 'https', options: { pfx: './localhost.p12', passphrase: 'changeit' } } } ``` ## What went wrong Webpack is unable to serve with the following error: ``` > webpack serve --color --mode development <i> [webpack-dev-server] SSL certificate: /Users/bart/myapp/node_modules/.cache/webpack-dev-server/server.pem [webpack-cli] Error: unsupported at configSecureContext (node:internal/tls/secure-context:277:15) at Object.createSecureContext (node:_tls_common:117:3) at Server.setSecureContext (node:_tls_wrap:1352:27) at Server (node:_tls_wrap:1211:8) at new Server (node:https:74:3) at Object.createServer (node:https:112:10) at Server.createServer (/Users/bart/myapp/node_modules/webpack-dev-server/lib/Server.js:2443:57) at Server.initialize (/Users/bart/myapp/node_modules/webpack-dev-server/lib/Server.js:1820:10) at Server.start (/Users/bart/myapp/node_modules/webpack-dev-server/lib/Server.js:3251:16) at async Command.<anonymous> (/Users/bart/myapp/node_modules/@webpack-cli/serve/lib/index.js:159:21) ``` Searching for the problem led me to this Node.js bug report: https://github.com/nodejs/node/issues/40672 It mentions that RC2 cipher has been disabled since Node 17. The suggested command to list the PFX details confirms the use of the RC2 cipher, see `pbeWithSHA1And40BitRC2-CBC` below. ```sh $ openssl pkcs12 -info -in localhost.p12 -noout Enter Import Password: MAC Iteration 1 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Certificate bag PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 ``` Is it possible to generate a PFX without using RC2? In the meantime, I'm using the PEM files approach instead.

kerem commented

2026-02-25 22:33:04 +03:00

Author

Owner

@bgever commented on GitHub (Sep 19, 2023):

Would the solution to explicitly state the ciphers for openssl also work for mkcert internals?
See https://github.com/homebridge/homebridge-config-ui-x/issues/1428#issuecomment-1712369849

@bgever commented on GitHub (Sep 19, 2023): Would the solution to explicitly state the ciphers for openssl also work for mkcert internals? See https://github.com/homebridge/homebridge-config-ui-x/issues/1428#issuecomment-1712369849