Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

convert certicate from .P12 to .PEM

Dear all, 

im trying to establish 802.1x authentication with FortiAuthenticator with WYSE ThinClients. 

The issue i'm facing is that the WYSE Thinclients does not accept to upload the certicate in P12 format. So i had to convert the certificate from p12 to pem format with the following command.

openssl -in certificate.p12 -out certicate.pem -nodes 


I'm not sure if this is the correct workaround regarding when I connect to the WYSE Client to the LAN i get the following error during the 802.1x authentication from in the Radius Debug log at the FortiAuthenticator. 


(27114) NAS-Identifier = "SW05"
(27114) State = 0x27109ff1238a929e9e997608a9bd058a
(27114) User-Name = "pcoip-portal-010101010101"
(27114) EAP-Message = 0x029a00110d80000000071503030002022a
(27114) Framed-MTU = 1500
(27114) NAS-Port-Id = "port6"
(27114) NAS-Port = 6
(27114) NAS-Port-Type = Ethernet
(27114) Calling-Station-Id = "10-10-10-10-10"
(27114) Message-Authenticator = 0x282904555f961a374548479e83affca0
(27114) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
(27114) facauth: ===>NAS IP:
(27114) facauth: ===>Username:pcoip-portal-010101010101
(27114) facauth: ===>Timestamp:1674245356.300727, age:0ms
(27114) facauth: Found authclient from preloaded authclients list for FW01 (
(27114) facauth: Found authpolicy 'RADPOL' for client ''
(27114) facauth: Client type: external (subtype: radius)
(27114) facauth: Input raw_username: (null) Realm: (null) username: pcoip-portal-847bebee4f93
(27114) facauth: Searching default realm as well
(27114) facauth: Realm not specified, default goes to FAC local user
(27114) facauth: Local user found: pcoip-portal-010101010101"
(27114) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
(27114) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject]
(27114) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: none]
(27114) # Executing group from file /usr/etc/raddb/sites-enabled/default
(27114) eap: Expiring EAP session with state 0x27109ff1238a929e
(27114) eap: Finished EAP session with state 0x27109ff1238a929e
(27114) eap: Previous EAP request found for state 0x27109ff1238a929e, released from the list
(27114) eap_tls: ERROR: TLS Alert read:fatal:bad certificate
(27114) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
(27114) eap_tls: ERROR: TLS failed during operation
(27114) eap_tls: ERROR: [eaptls process] = fail
(27114) # Executing group from file /usr/etc/raddb/sites-enabled/default
(27114) facauth: Updated auth log 'pcoip-portal-010101010101"': 802.1x authentication failed

The questions now

-have a wrongly created the certificate?
-is the certificate wrongly converted with above command?
-is the WYSE Thin client inkompatible to SSL3?

any help would be much appreciated.

Cheers DanielDSC



p12/pfx is a container format including server certfile, private key and possible another things like intermediate certificates
Assuming you need those components individually to work with,   try editing the output of

openssl  pkcs12 -in certificate.p12 -out certificate.pem -nodes

edit certificate.pem and extract certificate, private key etc (with its BEGIN/END) in separate files to use.


I guess 
openssl pkcs12 -in certificate.p12  -out certif.cer
extract only the certificate file, you could try it 




/ Abel

regards / Abel

yes this is what is did. 

openssl pkcs12 -in certificate.p12  -out certif.cer << missed the parameter in the above post for pkcs12 but i converted the certificate successful with your command. But i still get the the following error from FortiAuthenticator 

(27114) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate 



maybe your third assumption .. .. (-is the WYSE Thin client inkompatible to SSL3?)

I don't know nothing about wyse, maybe others in the forum could help


/ Abel

regards / Abel

Hi Abelio,

at the moment i also assume this would be the reason for.

Thanks, and regards. 


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors