You can receive the following error message when trying to import a PKCS12 (.p12 or .pfx) file into the FortiAuthenticator to use as a certificate/private key pair for your Portal or anyother Local Service.
Unsupported cipher algorithm. This can happen if the PKCS12 file uses unsupported weak ciphers, e.g. RC2. Use the OpenSSL command 'openssl pkcs12 -info -in <file>' to view the file's ciphers on a computer.
One of the reasons this can happen is FortiAuthenticator rejects any PFX files which contain certificate or keys that are encrypted with weak ciphers. So to check what your PFX file contains use openssl.
$ openssl pkcs12 -info -in myexample.pfx
Enter Import Password:
This will give you output listing, Your Private Key encryption cipher:
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
And the ciphers used to encrypt the certificates:
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
We can see here that FortiAuthenticator was right to determine that your PFX file has a3DES encrpyted private key and 40BitRC2 encrypted certificates inside.
Let's see how you fix this and allow FortiAuthenticator to install your PFX file.
One way is to export the private key and certificates to seperate files and use the FortiAuthenticator GUI option to load "Certificate and Private Key"
To get seperate files use the following openssl commands:
openssl pkcs12 -in myexample.pfx -out myexample_certs.pem -nokeys -clcertsopenssl pkcs12 -in myexample.pfx -out myexample_privkey.pem -nocerts -nodes
No comments:
Post a Comment