Created on 07-24-2024 06:28 AM Edited on 11-27-2024 01:47 AM By Jean-Philippe_P
This article describes how to verify the ciphers of the PKCS#12 / PFX container, used for transporting SSL/TLS certificates with private keys generated by the certificate authority (CA). This format is commonly used when issuing wildcard server certificates.
The article also provides a workaround for importing certificates provided by the CA in a low-encryption container.
The OpenSSL commands in the examples below are from a Linux machine. OpenSSL for Windows has similar syntax but the syntax may differ slightly.
FortiManager 7.4.2 and above.
FortiAnalyzer 7.4.2 and above.
All the low-level AES, Blowfish, Camellia, CAST, DES, IDEA, RC2, RC4, RC5, and SEED cipher functions have been deprecated since OpenSSL 3.
These ciphers are no longer supported in FortiManager / FortiAnalyzer 7.4.2 and above, and attempting to import a .p12 / .pfx certificate file encrypted using any of the above ciphers would result in an error 'could not load the shared library (wrong password?)', as described in the related article below.
To verify the ciphers, have the PKCS#12 file downloaded on a PC with installed OpenSSL, then use the following OpenSSL command:
$ openssl pkcs12 -info -in <your_certificate.pfx> -noout -passin pass:<your_p12_password>
Example output (here the CA provided a single file named 'certificate.pfx' encrypted with a password P@s5w0rd):
$ openssl pkcs12 -info -in certificate.pfx -noout -passin pass:P@s5w0rd
MAC: sha1, Iteration 2000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
OpenSSL version 3.0 and above, may also include the following error at the end of the above output, depending on the configuration, highlighting the unsupported cipher:
Error outputting keys and certificates
405723D287710000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
In such a case the command can be run with a -legacy flag to avoid the error.
Example:
$ openssl pkcs12 –legacy -info -in certificate.pfx -noout -passin pass:P@s5w0rd
To import such certificates in FortiManager/FortiAnalyzer, the private and public keys should be extracted using the following OpenSSL commands:
Extract the private key:
$ openssl pkcs12 -legacy -in certificate.pfx -nocerts -out certificate.key -passin pass:<your-p12_password>
... Enter new PEM passphrase when prompted.
... Enter the new PEM passphrase again to verify.
Extract the certificate:
$ openssl pkcs12 -legacy -in certificate.pfx -clcerts -nokeys -out certificate.cer -passin pass:<your_p12_password>
Note: The -legacy flag is not available in the older OpenSSL versions.
At this point, there should be two new files in PEM format created on the disk - 'certificate.key' and 'certificate.cer'.
In the FortiManager GUI, the two PEM files can be imported under the 'Import Local Certificate' menu, as a type 'Certificate':
Importing the certificate via CLI may also fix the issue. Refer to the following article:
Technical Tip: Import PFX certificate to FortiManager/FortiAnalyzer via the CLI
Related article:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.