Technical Tip: Unable to upload the PKCS12 certificate file in FortiAuthenticator
| Description | This article describes the reason for the PKCS12 certificate upload failure in FortiAuthenticator. |
| Scope | FortiAuthenticator. |
| Solution | PKCS12 certificates in the .p12 format are accepted by FortiAuthenticator.
Navigate to Certificate Management -> End Entities -> Local Services, select the Import button, and import a PKCS12 certificate. Enter the password and certificate ID, select Import.
FortiAuthenticator gives the error ''<cert name>' is not a PKCS12 certificate' as below, even though the certificate is correct.
Check the encryption algorithm used in that certificate using OpenSSL with the following command: openssl pkcs12 -info -in "C:\Program Files\OpenSSL-Win64\<cert-name including extension>"
The output shows the usage of the weak RC2-40-CBC cipher, which FortiAuthenticator does not support. Hence, it is impossible to decrypt the file, and it gives an error.
Note: Ensure that the PKCS12 file was generated with a modern encryption algorithm supported by FortiAuthenticator; if it uses outdated/weak ciphers (such as RC2‑40‑CBC), it will be rejected. Regenerating the .p12 using a current OpenSSL version without legacy ciphers (or re‑exporting the certificate with stronger encryption) typically resolves the upload error. |
