16 Mar 2023

Loading a new site certificate to FortiAuthenticator

You can receive the following error message when trying to import a PKCS12 (.p12 or .pfx) file into the FortiAuthenticator to use as a certificate/private key pair for your Portal or anyother Local Service.



Unsupported cipher algorithm. This can happen if the PKCS12 file uses unsupported weak ciphers, e.g. RC2. Use the OpenSSL command 'openssl pkcs12 -info -in <file>' to view the file's ciphers on a computer.

One of the reasons this can happen is FortiAuthenticator rejects any PFX files which contain certificate or keys that are encrypted with weak ciphers. So to check what your PFX file contains use openssl.

$ openssl pkcs12 -info -in myexample.pfx
Enter Import Password:

This will give you output listing, Your Private Key encryption cipher:

Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000

And the ciphers used to encrypt the certificates:

PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000

We can see here that FortiAuthenticator was right to determine that your PFX file has a3DES encrpyted private key and 40BitRC2 encrypted certificates inside.

Let's see how you fix this and allow FortiAuthenticator to install your PFX file.

One way is to export the private key and certificates to seperate files and use the FortiAuthenticator GUI option to load "Certificate and Private Key"

To get seperate files use the following openssl commands:

openssl pkcs12 -in myexample.pfx -out myexample_certs.pem -nokeys -clcerts
openssl pkcs12 -in myexample.pfx -out myexample_privkey.pem -nocerts -nodes 
     
The alternative to this is to create a new PFX file with stronger ciphers, one that FortiAuthenticator will not reject. This method will have the benefit of teaching you how to create PFX files with openssl.