FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
iyotov
Staff
Staff
Article Id 327734
Description

 

This article describes how to verify the ciphers of the PKCS#12 / PFX container, used for transporting SSL/TLS certificates with private keys generated by the certificate authority (CA). This format is commonly used when issuing wildcard server certificates.

 

The article also provides a workaround for importing certificates provided by the CA in a low-encryption container.

The OpenSSL commands in the examples below are from a Linux machine. OpenSSL for Windows has similar syntax but the syntax may differ slightly.

 

Scope

 

FortiManager 7.4.2 and above.
FortiAnalyzer 7.4.2 and above.

 

Solution

 

All the low-level AES, Blowfish, Camellia, CAST, DES, IDEA, RC2, RC4, RC5, and SEED cipher functions have been deprecated since OpenSSL 3.

These ciphers are no longer supported in FortiManager / FortiAnalyzer 7.4.2 and above, and attempting to import a .p12 / .pfx certificate file encrypted using any of the above ciphers would result in an error 'could not load the shared library (wrong password?)', as described in the related article below.

 

To verify the ciphers, have the PKCS#12 file downloaded on a PC with installed OpenSSL, then use the following OpenSSL command:

 

$ openssl pkcs12 -info -in <your_certificate.pfx> -noout -passin pass:<your_p12_password>


Example output (here the CA provided a single file named 'certificate.pfx' encrypted with a password P@s5w0rd):

 

$ openssl pkcs12 -info -in certificate.pfx -noout -passin pass:P@s5w0rd
 MAC: sha1, Iteration 2000
 MAC length: 20, salt length: 20
 PKCS7 Data
 Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000

 

OpenSSL version 3.0 and above, may also include the following error at the end of the above output, depending on the configuration, highlighting the unsupported cipher:

 

Error outputting keys and certificates
405723D287710000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

 

In such a case the command can be run with a -legacy flag to avoid the error.
Example:

 

$ openssl pkcs12 –legacy -info -in certificate.pfx -noout -passin pass:P@s5w0rd

 

To import such certificates in FortiManager/FortiAnalyzer, the private and public keys should be extracted using the following OpenSSL commands:

 

Extract the private key:

 

$ openssl pkcs12 -legacy -in certificate.pfx -nocerts -out certificate.key -passin pass:<your-p12_password>


... Enter new PEM passphrase when prompted.
... Enter the new PEM passphrase again to verify.

 

Extract the certificate:

 

$ openssl pkcs12 -legacy -in certificate.pfx -clcerts -nokeys -out certificate.cer -passin pass:<your_p12_password>


Note: The -legacy flag is not available in the older OpenSSL versions.

 

At this point, there should be two new files in PEM format created on the disk - 'certificate.key' and 'certificate.cer'.

 

In the FortiManager GUI, the two PEM files can be imported under the 'Import Local Certificate' menu, as a type 'Certificate':

  • In the Certificate File box import 'certificate.pub'.
  • In the Key File box import 'certificate.key'.
  • In the Password box, type the PEM passphrase created earlier.
  • Change the name if needed, and select OK to import the certificate.
 

Importing the certificate via CLI may also fix the issue. Refer to the following article:
Technical Tip: Import PFX certificate to FortiManager/FortiAnalyzer via the CLI 

 

Related article:

Troubleshooting Tip: Loading a PKCS#12 Certificate in FortiManager/FortiAnalyzer gives a wrong passw...