Feature Request: Enable "Legacy" Providers for "Old Environments"

[teward]

With OpenSSL 3.0, a number of older algorithms for signatures or crypto on things like P12 files are disabled outright due to SSL security settings changes. This makes importing things a little problematic for things a-la P12 importing or certificate importing.

Because of this still being a case with pfSense due to PHP stupidity that Sense is working on, certificates are exported in a way that modern OpenSSL and integrations won't work with, unless we permit programmatically "Legacy" provider for the import to be available to XCA. This would allow 'older' cert packages to be imported still and used.

While we should not permit exporting on these old legacy things, we should still permit "import" for modernization, etc. especially for privkeys.

[gertvdijk]

re:

While we should not permit exporting on these old legacy things

I can imagine a lot devices are not able to import new-style PKCS#12 files and I would like to see an option to export in legacy format using XCA actually.

Background story: I hit this after OpenSSL upgrade to 3.0.x in a different way. Exported .p12/.pfx files in XCA cannot be imported on Android devices (including latest Android 13) and would give a cryptic "Password incorrect" error while it actually fails to decrypt the new scheme due to lack of support for it.

See StackOverflow Q&A: Installing pcks12 certificate in android "wrong password" bug

[chris2511]

Fixed with 9b749d7