diff --git a/0101-FIPS-enable-pkcs12-mac.patch b/0101-FIPS-enable-pkcs12-mac.patch
new file mode 100644
index 0000000..b017166
--- /dev/null
+++ b/0101-FIPS-enable-pkcs12-mac.patch
@@ -0,0 +1,105 @@
+diff -up openssl-3.5.0-build/openssl-3.5.0/apps/pkcs12.c.xxx openssl-3.5.0-build/openssl-3.5.0/apps/pkcs12.c
+--- openssl-3.5.0/apps/pkcs12.c.xxx	2025-05-09 13:02:55.421755023 +0200
++++ openssl-3.5.0/apps/pkcs12.c	2025-05-09 13:07:10.393755067 +0200
+@@ -710,9 +710,6 @@ int pkcs12_main(int argc, char **argv)
+         }
+ 
+         if (maciter != -1) {
+-            if (EVP_default_properties_is_fips_enabled(NULL))
+-                pbmac1_pbkdf2 = 1;
+-
+             if (pbmac1_pbkdf2 == 1) {
+                 if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
+                                               macsaltlen, maciter,
+@@ -844,15 +841,34 @@ int pkcs12_main(int argc, char **argv)
+ 
+         if (OBJ_obj2nid(macobj) != NID_pbmac1) {
+             EVP_KDF *pkcs12kdf;
++            char *adjusted_propq = NULL;
++            const char *nofips = "-fips";
++            size_t len = app_get0_propq() ? strlen(app_get0_propq()) + 1 + strlen(nofips) + 1 :
++                                                                strlen(nofips) + 1;
++            char *ptr = NULL;
++
++            adjusted_propq = OPENSSL_zalloc(len);
++            if (adjusted_propq != NULL) {
++                    ptr = adjusted_propq;
++                    if (app_get0_propq()) {
++                        memcpy(ptr, app_get0_propq(), strlen(app_get0_propq()));
++                        ptr += strlen(app_get0_propq());
++                        *ptr = ',';
++                        ptr++;
++                    }
++                    memcpy(ptr, nofips, strlen(nofips));
++            }
+ 
+             pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
+-                                      app_get0_propq());
++                                      adjusted_propq ? adjusted_propq : app_get0_propq());
+             if (pkcs12kdf == NULL) {
+                 BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
+                 BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
++                OPENSSL_free(adjusted_propq);
+                 goto end;
+             }
+             EVP_KDF_free(pkcs12kdf);
++            OPENSSL_free(adjusted_propq);
+         }
+ 
+         /* If we enter empty password try no password first */
+diff -up openssl-3.5.0-build/openssl-3.5.0/crypto/pkcs12/p12_key.c.xxx openssl-3.5.0-build/openssl-3.5.0/crypto/pkcs12/p12_key.c
+--- openssl-3.5.0/crypto/pkcs12/p12_key.c.xxx	2025-05-09 13:03:13.573182158 +0200
++++ openssl-3.5.0/crypto/pkcs12/p12_key.c	2025-05-09 13:04:25.002955528 +0200
+@@ -85,17 +85,41 @@ int PKCS12_key_gen_uni_ex(unsigned char
+     EVP_KDF *kdf;
+     EVP_KDF_CTX *ctx;
+     OSSL_PARAM params[6], *p = params;
++    char *adjusted_propq = NULL;
+ 
+     if (n <= 0)
+         return 0;
+ 
+-    kdf = EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
+-    if (kdf == NULL)
++    if (ossl_get_kernel_fips_flag()) {
++        const char *nofips = "-fips";
++        size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 :
++                                                 strlen(nofips) + 1;
++        char *ptr = NULL;
++
++        adjusted_propq = OPENSSL_zalloc(len);
++        if (adjusted_propq != NULL) {
++            ptr = adjusted_propq;
++            if (propq) {
++                memcpy(ptr, propq, strlen(propq));
++                ptr += strlen(propq);
++                *ptr = ',';
++                ptr++;
++            }
++            memcpy(ptr, nofips, strlen(nofips));
++        }
++    }
++
++    kdf = adjusted_propq ? EVP_KDF_fetch(libctx, "PKCS12KDF", adjusted_propq) : EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
++    if (kdf == NULL) {
++        OPENSSL_free(adjusted_propq);
+         return 0;
++    }
+     ctx = EVP_KDF_CTX_new(kdf);
+     EVP_KDF_free(kdf);
+-    if (ctx == NULL)
++    if (ctx == NULL) {
++        OPENSSL_free(adjusted_propq);
+         return 0;
++    }
+ 
+     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
+                                             (char *)EVP_MD_get0_name(md_type),
+@@ -127,6 +151,7 @@ int PKCS12_key_gen_uni_ex(unsigned char
+         } OSSL_TRACE_END(PKCS12_KEYGEN);
+     }
+     EVP_KDF_CTX_free(ctx);
++    OPENSSL_free(adjusted_propq);
+     return res;
+ }
+ 
diff --git a/openssl.spec b/openssl.spec
index 68ee944..5b485bd 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -91,6 +91,7 @@ Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch
 Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch
 #The patches that are different for RHEL9 and 10 start here
 Patch0100: 0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
+Patch0101: 0101-FIPS-enable-pkcs12-mac.patch
 
 License: Apache-2.0
 URL: http://www.openssl.org/
@@ -426,6 +427,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
 * Fri May 02 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-2
 - OpenSSL ignores "rh-allow-sha1-signatures = yes" option on RHEL-9
   Resolves: RHEL-88910
+- PKCS#12 should not default to pbmac1 in FIPS mode in RHEL-9
+  Resolves: RHEL-88912
 
 * Wed Apr 16 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-1
 - Rebasing OpenSSL to 3.5